[wp-trac] [WordPress Trac] #48119: Logout does not work when using cookie prefixes

WordPress Trac noreply at wordpress.org
Tue Sep 24 07:04:24 UTC 2019


#48119: Logout does not work when using cookie prefixes
--------------------------+-----------------------------
 Reporter:  lflobbe       |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 When renaming the WordPress cookies to use the __Host- or __Secure- cookie
 prefix, logging out no longer works. The wp_clear_auth_cookie() function
 needs to use the "Secure" cookie flag to ensure that modern browsers will
 allow in to overwrite the login cookies when cookie prefixes are used.

 How to reproduce:

 1. Use HTTPS
 2. Set cookie prefixes in wp_config.php:
 if (@$_SERVER['HTTPS'] == 'on') {
   define( 'COOKIEHASH',           md5( WP_HOME ) );
   define( 'USER_COOKIE',          '__Host-wpse_user_'      . COOKIEHASH );
   define( 'PASS_COOKIE',          '__Host-wpse_pass_'      . COOKIEHASH );
   define( 'AUTH_COOKIE',          '__Host-wpse_'           . COOKIEHASH );
   define( 'SECURE_AUTH_COOKIE',   '__Host-wpse_sec_'       . COOKIEHASH );
   define( 'LOGGED_IN_COOKIE',     '__Host-wpse_logged_in_' . COOKIEHASH );
   define( 'TEST_COOKIE',          '__Host-wpse_test_cookie'             );
   // __HOST- cookies MUST have their path set to / otherwise they will be
 ignored by the browser
   define( 'COOKIEPATH',           '/' );
   define( 'SITECOOKIEPATH',       '/' );
   define( 'ADMIN_COOKIE_PATH',    '/' );
   define( 'PLUGINS_COOKIE_PATH',  '/' );
 }

 3. Login
 4. Try to logout. Inspect the cookies. Notice how the login cookies still
 have their original content and have not been overwritten.

 Solution:
 wp_clear_auth_cookie() needs to use the "Secure" cookie flag under all the
 same circumstances in which wp_set_auth_cookie() uses the "Secure" cookie
 flag.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/48119>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list