[wp-trac] [WordPress Trac] #31294: Customizer no longer gracefully handles session expiration
WordPress Trac
noreply at wordpress.org
Sat Mar 21 16:20:44 UTC 2015
#31294: Customizer no longer gracefully handles session expiration
--------------------------+------------------------
Reporter: westonruter | Owner: ocean90
Type: defect (bug) | Status: reviewing
Priority: normal | Milestone: 4.2
Component: Customize | Version: 4.0
Severity: major | Resolution:
Keywords: has-patch | Focuses:
--------------------------+------------------------
Changes (by westonruter):
* keywords: needs-patch => has-patch
* owner: => ocean90
* status: new => reviewing
Comment:
In [attachment:31294.2.diff], the Customizer login now updates nonces upon
successful login.
Prevent cheatin' message after re-authenticating in Customizer. If the
user's session expired while in the Customizer, and they were prompted to
re-authenticate inside the Preview, before this the Customizer would throw
up a cheatin message because the nonce used to get request the preview or
to save the settings was tied to the user's previous session which is no
longer valid.
As noted by @ocean90, the regression started in 4.0. I see that the
regression is due to the introduction of the user session tokens since the
nonces are now tied to session tokens as opposed to user IDs, and thus
they change with each re-login.
This is a nasty bug because it can result in a user losing their changes,
and getting an unhelpful cheatin' message to boot.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/31294#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list