[wp-trac] [WordPress Trac] #61874: Unable to access WordPress login session during login

WordPress Trac noreply at wordpress.org
Thu Aug 15 07:03:21 UTC 2024


#61874: Unable to access WordPress login session during login
--------------------------+------------------------------
 Reporter:  dd32          |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Users         |     Version:
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:
--------------------------+------------------------------
Description changed by dd32:

Old description:

> WordPress Sessions are based on a Key which is stored in the Auth
> cookies, and during each login a new session is initiated.
>
> This session token value is only stored in the authentication cookie. In
> order to retrieve it, the auth cookies must be set in `$_COOKIE`, which
> is only done by a client-request.
>
> This leads to an awkward situation, where WordPress will create a login
> session, create cookies based on it, and then have no ability to let any
> further executed  code know the session details.
>
> To complicate matters, the logic for retrieving the current user is
> awkward as Core applies two different methodologies between login and
> logout:
>  - `wp_signon()` doesn't set the `$current_user` upon login (#39385)
> despite
>  - `wp_logout()` clears the `$current_user` global upon logout (#35488)
>
> As a result of that, during the `login_redirect` filter the user will be
> logged out, and during the `logout_redirect` filter the user will also be
> logged out (despite the user being logged in according to the cookies
> superglobal).
>
> For example, the following code does two things:
> 1. Sets additional data in the user session on login (Similar to the Two-
> Factor plugin)
> 2. Hooks to `login_redirect` filter with the intention of acting upon
> data in the current user session.
>
> {{{#!php
> add_filter( 'attach_session_information', function( $session ) {
>         $session['foo'] = 'bar';
>         return $session;
> } );
>
> add_filter( 'login_redirect', function( $redirect, $orig_redirect, $user
> ) {
>         var_dump( [
>                 'variant' => 'Current',
>                 '$user->ID' => $user->ID,
>                 'get_current_user_id()' => get_current_user_id(),
>                 'wp_get_session_token()' => wp_get_session_token(),
>                 'session_data' => WP_Session_Tokens::get_instance(
> $user->ID )->get( wp_get_session_token() )
>         ] );
>         die();
> }, 10, 3 );
> }}}
>
> which results in this output:
> {{{
> wp-content/mu-plugins/example.php:
> array (size=5)
>   'variant' => string 'Current' (length=7)
>   '$user->ID' => int 1
>   'get_current_user_id()' => int 0
>   'wp_get_session_token()' => string '' (length=0)
>   'session_data' => null
> }}}
>
> tl;dr: It's not possible (without hoops, see comments) to retrieve the
> current user session data after login.

New description:

 WordPress Sessions are based on a Key which is stored in the Auth cookies,
 and during each login a new session is initiated.

 This session token value is only stored in the authentication cookie. In
 order to retrieve it, the auth cookies must be set in `$_COOKIE`, which is
 only done by a client-request.

 This leads to an awkward situation, where WordPress will create a login
 session, create cookies based on it, and then have no ability to let any
 further executed  code know the session details.

 To complicate matters, the logic for retrieving the current user is
 awkward as Core applies two different methodologies between login and
 logout:
  - `wp_signon()` doesn't set the `$current_user` upon login (#39385)
 despite
  - `wp_logout()` clears the `$current_user` global upon logout (#35488)

 As a result of that, during the `login_redirect` filter the user will be
 logged out, and during the `logout_redirect` filter the user will also be
 logged out (despite the user being logged in according to the cookies
 superglobal).

 For example, the following code does two things:
 1. Sets additional data in the user session on login (Similar to the Two-
 Factor plugin)
 2. Hooks to `login_redirect` filter with the intention of acting upon data
 in the current user session.

 {{{#!php
 <?php
 add_filter( 'attach_session_information', function( $session ) {
         $session['foo'] = 'bar';
         return $session;
 } );

 add_filter( 'login_redirect', function( $redirect, $orig_redirect, $user )
 {
         var_dump( [
                 'variant' => 'Current',
                 '$user->ID' => $user->ID,
                 'get_current_user_id()' => get_current_user_id(),
                 'wp_get_session_token()' => wp_get_session_token(),
                 'session_data' => WP_Session_Tokens::get_instance(
 $user->ID )->get( wp_get_session_token() )
         ] );
         die();
 }, 10, 3 );
 }}}

 which results in this output:
 {{{
 wp-content/mu-plugins/example.php:
 array (size=5)
   'variant' => string 'Current' (length=7)
   '$user->ID' => int 1
   'get_current_user_id()' => int 0
   'wp_get_session_token()' => string '' (length=0)
   'session_data' => null
 }}}

 tl;dr: It's not possible (without hoops, see comments) to retrieve the
 current user session data after login.

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/61874#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list