[wp-trac] [WordPress Trac] #60090: Double login with cloned wordpress instance
WordPress Trac
noreply at wordpress.org
Tue Dec 19 01:51:54 UTC 2023
#60090: Double login with cloned wordpress instance
-------------------------+-------------------------------------------------
Reporter: vchn | Owner: (none)
Type: defect | Status: new
(bug) |
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 6.4.2
Severity: major | Resolution:
Keywords: | Focuses: administration, performance,
| privacy
-------------------------+-------------------------------------------------
Comment (by dd32):
Hi @vchn,
Can you confirm the following details?
- You're not using any Authentication plugins
- The cloned site is using a cloned database
- The user is logged out before the cloning happens
- Single or Multisite?
- Is `COOKIE_DOMAIN` defined in the config?
This sounds like the expected behaviour to me at first. The URL is not
part of the authentication, but is used for the cookies. If the cookies
"leak" from the parent domain to the child staging domain (Which your
browser is in control of - affected by `COOKIE_DOMAIN` constant too) and
either a) The database is shared or b) The login occurs before the
database is cloned, then with an exact replica of the main site a session
would be able to be valid on both sites if all of the auth tokens in the
database and configuration are the same.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/60090#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list