[wp-trac] [WordPress Trac] #50522: stop setting "older" cookies with multiple path prefixes
WordPress Trac
noreply at wordpress.org
Wed Jul 1 13:38:23 UTC 2020
#50522: stop setting "older" cookies with multiple path prefixes
----------------------------+-----------------------------
Reporter: drzraf | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version: 5.4.2
Severity: normal | Keywords:
Focuses: administration |
----------------------------+-----------------------------
According to `wp_clear_auth_cookie()`,
{{{#!php
<?php
// Auth cookies.
setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, ADMIN_COOKIE_PATH,
COOKIE_DOMAIN );
setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS,
ADMIN_COOKIE_PATH, COOKIE_DOMAIN );
setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS,
PLUGINS_COOKIE_PATH, COOKIE_DOMAIN );
setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS,
PLUGINS_COOKIE_PATH, COOKIE_DOMAIN );
setcookie( LOGGED_IN_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH,
COOKIE_DOMAIN );
setcookie( LOGGED_IN_COOKIE, ' ', time() - YEAR_IN_SECONDS,
SITECOOKIEPATH, COOKIE_DOMAIN );
// Settings cookies.
setcookie( 'wp-settings-' . get_current_user_id(), ' ', time() -
YEAR_IN_SECONDS, SITECOOKIEPATH );
setcookie( 'wp-settings-time-' . get_current_user_id(), ' ', time() -
YEAR_IN_SECONDS, SITECOOKIEPATH );
// Old cookies.
setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH,
COOKIE_DOMAIN );
setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH,
COOKIE_DOMAIN );
setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH,
COOKIE_DOMAIN );
setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS,
SITECOOKIEPATH, COOKIE_DOMAIN );
// Even older cookies.
setcookie( USER_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH,
COOKIE_DOMAIN );
setcookie( PASS_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH,
COOKIE_DOMAIN );
setcookie( USER_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH,
COOKIE_DOMAIN );
setcookie( PASS_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH,
COOKIE_DOMAIN );
// Post password cookie.
setcookie( 'wp-postpass_' . COOKIEHASH, ' ', time() - YEAR_IN_SECONDS,
COOKIEPATH, COOKIE_DOMAIN );
}}}
Which usually means **19 cookies for a login**. This itself may represent
up to **2.4 kB of header size** for that sole purpose. (Let's remind that
many reverse-proxy has arbitrary limitation. Eg: HTTP2 push on Cloudflare
at 3kB)
An obvious first question is why decade-old cookies are still set instead
of the minimal 11 cookies.
We can also observe that in most configurations, **COOKIEPATH = /**,
ADMIN_COOKIE_PATH and SITECOOKIEPATH are either equal or a s**ubpath of
COOKIEPAT**H. As a consequence, these additional granular-path cookies are
useless because the cookie is already set for the whole domain. This could
further remove 2 or 3 cookies.
Couldn't this be number of cookies halved?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50522>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list