[wp-trac] [WordPress Trac] #48119: Logout does not work when using cookie prefixes
WordPress Trac
noreply at wordpress.org
Tue Sep 24 07:54:33 UTC 2019
#48119: Logout does not work when using cookie prefixes
--------------------------+------------------------------
Reporter: lflobbe | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
--------------------------+------------------------------
Changes (by johnbillion):
* version: trunk =>
Old description:
> When renaming the WordPress cookies to use the __Host- or __Secure-
> cookie prefix, logging out no longer works. The wp_clear_auth_cookie()
> function needs to use the "Secure" cookie flag to ensure that modern
> browsers will allow in to overwrite the login cookies when cookie
> prefixes are used.
>
> How to reproduce:
>
> 1. Use HTTPS
> 2. Set cookie prefixes in wp_config.php:
> if (@$_SERVER['HTTPS'] == 'on') {
> define( 'COOKIEHASH', md5( WP_HOME ) );
> define( 'USER_COOKIE', '__Host-wpse_user_' . COOKIEHASH
> );
> define( 'PASS_COOKIE', '__Host-wpse_pass_' . COOKIEHASH
> );
> define( 'AUTH_COOKIE', '__Host-wpse_' . COOKIEHASH
> );
> define( 'SECURE_AUTH_COOKIE', '__Host-wpse_sec_' . COOKIEHASH
> );
> define( 'LOGGED_IN_COOKIE', '__Host-wpse_logged_in_' . COOKIEHASH
> );
> define( 'TEST_COOKIE', '__Host-wpse_test_cookie'
> );
> // __HOST- cookies MUST have their path set to / otherwise they will be
> ignored by the browser
> define( 'COOKIEPATH', '/' );
> define( 'SITECOOKIEPATH', '/' );
> define( 'ADMIN_COOKIE_PATH', '/' );
> define( 'PLUGINS_COOKIE_PATH', '/' );
> }
>
> 3. Login
> 4. Try to logout. Inspect the cookies. Notice how the login cookies still
> have their original content and have not been overwritten.
>
> Solution:
> wp_clear_auth_cookie() needs to use the "Secure" cookie flag under all
> the same circumstances in which wp_set_auth_cookie() uses the "Secure"
> cookie flag.
New description:
When renaming the WordPress cookies to use the `__Host-` or `__Secure-`
cookie prefix, logging out no longer works. The wp_clear_auth_cookie()
function needs to use the "Secure" cookie flag to ensure that modern
browsers will allow in to overwrite the login cookies when cookie prefixes
are used.
How to reproduce:
1. Use HTTPS
2. Set cookie prefixes in wp_config.php:
{{{
if (@$_SERVER['HTTPS'] == 'on') {
define( 'COOKIEHASH', md5( WP_HOME ) );
define( 'USER_COOKIE', '__Host-wpse_user_' . COOKIEHASH );
define( 'PASS_COOKIE', '__Host-wpse_pass_' . COOKIEHASH );
define( 'AUTH_COOKIE', '__Host-wpse_' . COOKIEHASH );
define( 'SECURE_AUTH_COOKIE', '__Host-wpse_sec_' . COOKIEHASH );
define( 'LOGGED_IN_COOKIE', '__Host-wpse_logged_in_' . COOKIEHASH );
define( 'TEST_COOKIE', '__Host-wpse_test_cookie' );
// __HOST- cookies MUST have their path set to / otherwise they will be
ignored by the browser
define( 'COOKIEPATH', '/' );
define( 'SITECOOKIEPATH', '/' );
define( 'ADMIN_COOKIE_PATH', '/' );
define( 'PLUGINS_COOKIE_PATH', '/' );
}
}}}
3. Login
4. Try to logout. Inspect the cookies. Notice how the login cookies still
have their original content and have not been overwritten.
Solution:
wp_clear_auth_cookie() needs to use the "Secure" cookie flag under all the
same circumstances in which wp_set_auth_cookie() uses the "Secure" cookie
flag.
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/48119#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list