[wp-trac] [WordPress Trac] #61874: Unable to access WordPress login session during login
WordPress Trac
noreply at wordpress.org
Thu Aug 15 07:03:21 UTC 2024
#61874: Unable to access WordPress login session during login
--------------------------+------------------------------
Reporter: dd32 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
--------------------------+------------------------------
Description changed by dd32:
Old description:
> WordPress Sessions are based on a Key which is stored in the Auth
> cookies, and during each login a new session is initiated.
>
> This session token value is only stored in the authentication cookie. In
> order to retrieve it, the auth cookies must be set in `$_COOKIE`, which
> is only done by a client-request.
>
> This leads to an awkward situation, where WordPress will create a login
> session, create cookies based on it, and then have no ability to let any
> further executed code know the session details.
>
> To complicate matters, the logic for retrieving the current user is
> awkward as Core applies two different methodologies between login and
> logout:
> - `wp_signon()` doesn't set the `$current_user` upon login (#39385)
> despite
> - `wp_logout()` clears the `$current_user` global upon logout (#35488)
>
> As a result of that, during the `login_redirect` filter the user will be
> logged out, and during the `logout_redirect` filter the user will also be
> logged out (despite the user being logged in according to the cookies
> superglobal).
>
> For example, the following code does two things:
> 1. Sets additional data in the user session on login (Similar to the Two-
> Factor plugin)
> 2. Hooks to `login_redirect` filter with the intention of acting upon
> data in the current user session.
>
> {{{#!php
> add_filter( 'attach_session_information', function( $session ) {
> $session['foo'] = 'bar';
> return $session;
> } );
>
> add_filter( 'login_redirect', function( $redirect, $orig_redirect, $user
> ) {
> var_dump( [
> 'variant' => 'Current',
> '$user->ID' => $user->ID,
> 'get_current_user_id()' => get_current_user_id(),
> 'wp_get_session_token()' => wp_get_session_token(),
> 'session_data' => WP_Session_Tokens::get_instance(
> $user->ID )->get( wp_get_session_token() )
> ] );
> die();
> }, 10, 3 );
> }}}
>
> which results in this output:
> {{{
> wp-content/mu-plugins/example.php:
> array (size=5)
> 'variant' => string 'Current' (length=7)
> '$user->ID' => int 1
> 'get_current_user_id()' => int 0
> 'wp_get_session_token()' => string '' (length=0)
> 'session_data' => null
> }}}
>
> tl;dr: It's not possible (without hoops, see comments) to retrieve the
> current user session data after login.
New description:
WordPress Sessions are based on a Key which is stored in the Auth cookies,
and during each login a new session is initiated.
This session token value is only stored in the authentication cookie. In
order to retrieve it, the auth cookies must be set in `$_COOKIE`, which is
only done by a client-request.
This leads to an awkward situation, where WordPress will create a login
session, create cookies based on it, and then have no ability to let any
further executed code know the session details.
To complicate matters, the logic for retrieving the current user is
awkward as Core applies two different methodologies between login and
logout:
- `wp_signon()` doesn't set the `$current_user` upon login (#39385)
despite
- `wp_logout()` clears the `$current_user` global upon logout (#35488)
As a result of that, during the `login_redirect` filter the user will be
logged out, and during the `logout_redirect` filter the user will also be
logged out (despite the user being logged in according to the cookies
superglobal).
For example, the following code does two things:
1. Sets additional data in the user session on login (Similar to the Two-
Factor plugin)
2. Hooks to `login_redirect` filter with the intention of acting upon data
in the current user session.
{{{#!php
<?php
add_filter( 'attach_session_information', function( $session ) {
$session['foo'] = 'bar';
return $session;
} );
add_filter( 'login_redirect', function( $redirect, $orig_redirect, $user )
{
var_dump( [
'variant' => 'Current',
'$user->ID' => $user->ID,
'get_current_user_id()' => get_current_user_id(),
'wp_get_session_token()' => wp_get_session_token(),
'session_data' => WP_Session_Tokens::get_instance(
$user->ID )->get( wp_get_session_token() )
] );
die();
}, 10, 3 );
}}}
which results in this output:
{{{
wp-content/mu-plugins/example.php:
array (size=5)
'variant' => string 'Current' (length=7)
'$user->ID' => int 1
'get_current_user_id()' => int 0
'wp_get_session_token()' => string '' (length=0)
'session_data' => null
}}}
tl;dr: It's not possible (without hoops, see comments) to retrieve the
current user session data after login.
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/61874#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list