[wp-trac] [WordPress Trac] #16483: Visibility: password-protected exposes multiple pages

WordPress Trac noreply at wordpress.org
Thu Aug 11 23:42:53 UTC 2016 

#16483: Visibility: password-protected exposes multiple pages
--------------------------------------------------+--------------------
 Reporter:  monkeyhouse                           |       Owner:
     Type:  defect (bug)                          |      Status:  new
 Priority:  normal                                |   Milestone:  4.7
Component:  Security                              |     Version:  3.0.4
 Severity:  normal                                |  Resolution:
 Keywords:  dev-feedback needs-testing has-patch  |     Focuses:
--------------------------------------------------+--------------------

Comment (by voldemortensen):

 Replying to [comment:13 helen]:
 > Could I please have a summary of the following, both for myself and for
 general reference?
 >
 > 1. What is the proposed solution in the patch?
 The proposed solution is to alter the cookie to be post specific, as
 opposed to password specific. Currently, any posts with the same password
 can be viewed at the same time.

 > 2. How does this affect existing post passwords?
 As far as I am aware, this would invalidate all current cookies and force
 everyone to re-authenticate to any protected posts. I consider this a non-
 issue for a few reasons. Cookies can accidentally be deleted, aren't
 available across all devices, clearing browser history often deletes them,
 etc, etc. The are so many cases for cookies disappearing this, to me,
 doesn't seem like a big deal.

 > 3. How would original functionality be restored via plugin?
 In the proposed solution, it wouldn't.

 > 4. How does this relate to `WP_Query` changes in #20308 cited above?
 I currently don't know the answer to this question, but I will find out.

 > 5. How does this affect the REST API? See https://github.com/WP-API/WP-
 API/issues/1055
 After reading the REST API issue, it seems like it would make life a
 little better for them. It has been noted a couple times that an "ugly
 nuance of core" is that its cookie based and only based on COOKIEHASH, so
 only one password protected post can be viewed at a time. This fixes that
 so multiple password protected posts can be viewed.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/16483#comment:14>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list