[wp-trac] [WordPress Trac] #42481: Test cookie secure flag prevents non-secure login

WordPress Trac noreply at wordpress.org
Thu Jun 14 23:30:27 UTC 2018


#42481: Test cookie secure flag prevents non-secure login
------------------------------------+------------------------------
 Reporter:  RavanH                  |       Owner:  (none)
     Type:  defect (bug)            |      Status:  new
 Priority:  low                     |   Milestone:  Awaiting Review
Component:  Login and Registration  |     Version:  4.9
 Severity:  normal                  |  Resolution:
 Keywords:                          |     Focuses:
------------------------------------+------------------------------

Comment (by RavanH):

 This bug remains a very nasty one even if it would be on 'edge' cases
 only... And I'm not sure about it being such an edge case actually.

 Take this scenario for example: a WP Multisite with subdomains, open for
 public registration, the main site on domain example.com was created on
 HTTP but has been moved to HTTPS with a Letsencrypt license. Now new sites
 that are created from the front end (public) registration will be on HTTP.

 But since the main site where registration and first login was done over
 HTTPS, the new user will soon run into problems:

 - The first, but very minor, issue is he/she needs to do a second login to
 get into his own fresh new subdomain site admin. Not a big deal, just
 inconvenient and not as it would be if both primary site and subdomain
 site are on the same protocol.

 - Then, after being logged in on the admin, the user will appear to be
 logged out when returning to his site front end (to see changes for
 example) and have no admin bar or edit links. Returning to the admin can
 be done by the browser back button or typing /wp-admin/ so this one too is
 not the most annoying issue.

 - But when he/she tries the theme Customizer, it will fail completely with
 a "Non-existent changeset UUID" error.

 - And no post Preview, of the soon to be published post...

 Specially these last two give a horrible experience for a new user and
 he/she will likely turn elsewhere to blog.

 The only current work-around is either to move the main site back to HTTP
 or to get an expensive wildcard SSL license (at least as long as
 Letsencrypt wildcard challenges remain so elusive to meet) ... Is there
 really no interest in fixing this?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/42481#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list