[wp-trac] [WordPress Trac] #52082: Application Passwords issue with wordpress_logged_in cookie
WordPress Trac
noreply at wordpress.org
Wed Dec 16 17:50:15 UTC 2020
#52082: Application Passwords issue with wordpress_logged_in cookie
-----------------------------------+------------------------------
Reporter: SeBsZ | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Application Passwords | Version: 5.6
Severity: normal | Resolution:
Keywords: | Focuses:
-----------------------------------+------------------------------
Comment (by TimothyBlynJacobs):
> As I mentioned in my original post, setting $current_user = null; in the
permission_callback actually works with WP 5.6 - this seems to force re-
authentication and then the REST request works. I was just wondering if
this is the right workaround or if this needs fixing in WP core?
This is definitely not a good solution, since it will allow for cookie
auth without passing a nonce. The correct solution is to not send cookies.
As a last resort, you could use the return value from
`wp_validate_application_password` in your callback, but I'd highly
recommend avoiding that.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52082#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list