[wp-trac] [WordPress Trac] #47320: Site Health: Call to API with $_COOKIE and PHPSESSID
WordPress Trac
noreply at wordpress.org
Thu May 30 22:57:09 UTC 2019
#47320: Site Health: Call to API with $_COOKIE and PHPSESSID
----------------------------+------------------------------
Reporter: matthieumota | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version: 5.2
Severity: trivial | Resolution:
Keywords: site-health | Focuses:
----------------------------+------------------------------
Comment (by Clorith):
You're quite right that those tests will all fail, since they all rely on
the site calling it self.
We've known that incorrect session usage in plugins has been a problem in
the past (most notably made known when the plugin and theme editors were
updated to perform loopback checks to ensure you didn't crash your own
site during an edit), but in those cases plugins have been updated to
treat sessions differently and the problems have gone away.
I must admit, I don't recall which plugins, or know what they changed
though.
As for stripping out session id from the cookie which is passed, this may
backfire, what if a site has been modified to rely on sessions to validate
a login beyond the regular WordPress auth checks, do we have some good way
of approaching a potential scenario like this?
Also making a note that any changes made to the tests need to be
replicated elsewhere in core where loopbacks are performed so that the
behavior is consistent.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47320#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list