Opened 6 years ago
Last modified 6 years ago
#48119 new defect (bug)
Logout does not work when using cookie prefixes
| Reported by: | | Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Users | Keywords: | |
| Focuses: | Cc: |
Description (last modified by )
When renaming the WordPress cookies to use the __Host- or __Secure- cookie prefix, logging out no longer works. The wp_clear_auth_cookie() function needs to use the "Secure" cookie flag to ensure that modern browsers will allow in to overwrite the login cookies when cookie prefixes are used.
How to reproduce:
- Use HTTPS
- Set cookie prefixes in wp_config.php:
if (@$_SERVER['HTTPS'] == 'on') { define( 'COOKIEHASH', md5( WP_HOME ) ); define( 'USER_COOKIE', '__Host-wpse_user_' . COOKIEHASH ); define( 'PASS_COOKIE', '__Host-wpse_pass_' . COOKIEHASH ); define( 'AUTH_COOKIE', '__Host-wpse_' . COOKIEHASH ); define( 'SECURE_AUTH_COOKIE', '__Host-wpse_sec_' . COOKIEHASH ); define( 'LOGGED_IN_COOKIE', '__Host-wpse_logged_in_' . COOKIEHASH ); define( 'TEST_COOKIE', '__Host-wpse_test_cookie' ); // __HOST- cookies MUST have their path set to / otherwise they will be ignored by the browser define( 'COOKIEPATH', '/' ); define( 'SITECOOKIEPATH', '/' ); define( 'ADMIN_COOKIE_PATH', '/' ); define( 'PLUGINS_COOKIE_PATH', '/' ); }
- Login
- Try to logout. Inspect the cookies. Notice how the login cookies still have their original content and have not been overwritten.
Solution:
wp_clear_auth_cookie() needs to use the "Secure" cookie flag under all the same circumstances in which wp_set_auth_cookie() uses the "Secure" cookie flag.
Change History (2)
Note: See TracTickets for help on using tickets.