[wp-trac] [WordPress Trac] #48119: Logout does not work when using cookie prefixes
WordPress Trac
noreply at wordpress.org
Tue Sep 24 07:04:24 UTC 2019
#48119: Logout does not work when using cookie prefixes
--------------------------+-----------------------------
Reporter: lflobbe | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: trunk
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
When renaming the WordPress cookies to use the __Host- or __Secure- cookie
prefix, logging out no longer works. The wp_clear_auth_cookie() function
needs to use the "Secure" cookie flag to ensure that modern browsers will
allow in to overwrite the login cookies when cookie prefixes are used.
How to reproduce:
1. Use HTTPS
2. Set cookie prefixes in wp_config.php:
if (@$_SERVER['HTTPS'] == 'on') {
define( 'COOKIEHASH', md5( WP_HOME ) );
define( 'USER_COOKIE', '__Host-wpse_user_' . COOKIEHASH );
define( 'PASS_COOKIE', '__Host-wpse_pass_' . COOKIEHASH );
define( 'AUTH_COOKIE', '__Host-wpse_' . COOKIEHASH );
define( 'SECURE_AUTH_COOKIE', '__Host-wpse_sec_' . COOKIEHASH );
define( 'LOGGED_IN_COOKIE', '__Host-wpse_logged_in_' . COOKIEHASH );
define( 'TEST_COOKIE', '__Host-wpse_test_cookie' );
// __HOST- cookies MUST have their path set to / otherwise they will be
ignored by the browser
define( 'COOKIEPATH', '/' );
define( 'SITECOOKIEPATH', '/' );
define( 'ADMIN_COOKIE_PATH', '/' );
define( 'PLUGINS_COOKIE_PATH', '/' );
}
3. Login
4. Try to logout. Inspect the cookies. Notice how the login cookies still
have their original content and have not been overwritten.
Solution:
wp_clear_auth_cookie() needs to use the "Secure" cookie flag under all the
same circumstances in which wp_set_auth_cookie() uses the "Secure" cookie
flag.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/48119>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list