[wp-trac] [WordPress Trac] #29889: Login redirect to login page even if authenticated

WordPress Trac noreply at wordpress.org
Wed Oct 8 11:41:25 UTC 2014


#29889: Login redirect to login page even if authenticated
------------------------------------+-----------------------------
 Reporter:  sgissinger              |      Owner:
     Type:  defect (bug)            |     Status:  new
 Priority:  normal                  |  Milestone:  Awaiting Review
Component:  Login and Registration  |    Version:  3.9.2
 Severity:  normal                  |   Keywords:
  Focuses:                          |
------------------------------------+-----------------------------
 We use Wordpress in a private manner with use of '''login_redirect'''
 filter which is applied in the following code in file '''wp-login.php'''
 on line 777.

 {{{
 if ( empty( $_COOKIE[ LOGGED_IN_COOKIE ] ) ) {
     if ( headers_sent() ) {
         $user = new WP_Error( 'test_cookie', sprintf( __(
 '<strong>ERROR</strong>: Cookies are blocked due to unexpected output. For
 help, please see <a href="%1$s">this documentation</a> or try the <a
 href="%2$s">support forums</a>.' ),
             __( 'http://codex.wordpress.org/Cookies' ), __(
 'https://wordpress.org/support/' ) ) );
     } elseif ( isset( $_POST['testcookie'] ) && empty( $_COOKIE[
 TEST_COOKIE ] ) ) {
         // If cookies are disabled we can't log in even with a valid
 user+pass
         $user = new WP_Error( 'test_cookie', sprintf( __(
 '<strong>ERROR</strong>: Cookies are blocked or not supported by your
 browser. You must <a href="%s">enable cookies</a> to use WordPress.' ),
             __( 'http://codex.wordpress.org/Cookies' ) ) );
     }
 }

 $requested_redirect_to = isset( $_REQUEST['redirect_to'] ) ?
 $_REQUEST['redirect_to'] : '';
 /**
  * Filter the login redirect URL.
  *
  * @since 3.0.0
  *
  * @param string           $redirect_to           The redirect destination
 URL.
  * @param string           $requested_redirect_to The requested redirect
 destination URL passed as a parameter.
  * @param WP_User|WP_Error $user                  WP_User object if login
 was successful, WP_Error object otherwise.
  */
 $redirect_to = apply_filters( 'login_redirect', $redirect_to,
 $requested_redirect_to, $user );
 }}}

 According to this, we use '''$user''' parameter in '''login_redirect'''
 filter to do some stuff.

 == Issue ==
 After a first log in attempt with good credentials, '''$user''' is a
 '''WP_Error''' which isn't normal.
 And when '''$user''' is a '''WP_Error''' my custom filter do redirect to
 login URL.

 Then I try to log in a second time just after the first one with the same
 credentials.
 In this second attempt, '''$user''' is a '''WP_User''', my custom filter
 do not redirect to login URL and everything works as expected.


 == Additional Information ==
 === Complement 1 ===
 After the first login, if I reach home URL (which is very different from
 login URL), I notice that I was successfully authenticated even if I was
 redirected to login URL by my custom filter.


 === Complement 2 ===
 It seems to happen after my browser started, subsequent logins even with
 different credentials works fine at the first time.
 If I restart my browser, this issue occurs and I'm redirected after first
 log in attempt.


 === Complement 3 ===
 Before our 3.9.2 update we were using 3.6.1 which handled this cookie
 check differently and did not overriden '''$user''' object.

 == Workaround ==
 We completely commented these lines and everything now works fine even
 with my custom '''login_redirect''' filter.


 Best

--
Ticket URL: <https://core.trac.wordpress.org/ticket/29889>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list