[wp-trac] [WordPress Trac] #42481: Test cookie secure flag prevents non-secure login

WordPress Trac noreply at wordpress.org
Thu Nov 16 23:00:35 UTC 2017 

#42481: Test cookie secure flag prevents non-secure login
------------------------------------+------------------------------
 Reporter:  RavanH                  |       Owner:
     Type:  defect (bug)            |      Status:  new
 Priority:  low                     |   Milestone:  Awaiting Review
Component:  Login and Registration  |     Version:
 Severity:  normal                  |  Resolution:
 Keywords:                          |     Focuses:
------------------------------------+------------------------------
Changes (by RavanH):

 * keywords:  close =>


Comment:

 Hmmm, it seems the issue goes deeper than the test cookie alone. Here
 [https://status301.net/wp-content/uploads/2017/11/login-http.webm] is a 1
 minute screen cast taken from a multi-site where the primary site (front
 and admin) is on https but the sub-domain site has both site_url and home
 set to http.

 Video description:

 Logged in on the main site on https, from the '''My Sites''' page I follow
 the '''Visit''' link of a sub-site on http. This leads me to the front end
 of the subdomain where I'm not logged in (as expected). I then follow the
 '''Log In''' link in the Meta widget and try to log in. This results in a
 redirect back to the login form with the fore-mentioned cookie warning.

 However, when I then manually type the /wp-admin/ url in the browser, it
 shows I am logged in after all.

 But when I then go to the theme customizer, it will show the login form in
 the preview pane, this time with an "expired" message. Logging in again
 will redirect back to the same expired message...

 The screen cast stops here but if I use the browser back button, I can get
 back to the admin without having to log in again. The session has not
 expired at all!

 Hope this demonstrates how annoying this can be, occurring in one singe
 session without ever having to visit a https page without valid ssl
 license. Specially lesser gods like sub-site owners that already freak out
 at the first cookie warning. They might give up there and then, closing
 the browser. Come back later (session cookie cleared) and be able to log
 in but then still not be able to use the Theme Customizer or even be
 logged in on the front-end at the same time (no admin bar).

 There really ''is'' something wrong in the whole ssl versus non-ssl logic
 here.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/42481#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list