Visibility: password-protected exposes multiple pages

[monkeyhouse]

1. password protect a page ('protected') with a password
2. password protect another page ('thistoo') with the SAME password
3. visit 'protected' and enter the password. Page is visible
4. visit 'thistoo'; expected: prompt for password. What happens: Page is visible

Regardless of whether someone with a password has the right to try it in as many pages as they want (and would therefore successfully see the page if the passwords were the same), the user should still be prompted on a page-by-page basis. Global authentication to multiple pages is possible with user accounts and roles. It should not be possible with visibility: password-protected pages.

Make passwords post-specific

I agree that this shouldn't happen - although plain text passwords in cookies aren't really going to prevent someone who is determined ;)

Here's one possible patch. It may cause some issues because previously (and since WP 1.0.0) get_the_password_form() didn't require a post. I can't find any instances in core that don't have a post (or implicit post global) set, but I might have missed something.

modified solarissmoke's patch a bit: no notice when not called inside a loop

This problem still exists in 3.5-RC1-22924. Patch needs refresh.

16483.3.diff does not seem to let me log in to the page at all even with the correct password.

Replying to MikeHansenMe:

16483.3.diff does not seem to let me log in to the page at all even with the correct password.

Thanks, fixed in 16483.4.diff​. Missed [19728] in the previous patch.

Related: #19797

Refreshed

This has been discussed a number of times and there are many who consider this a feature. Punting back to Future Release since it requires negotiations.