WordPress.org

Make WordPress Core

Ticket #12142: 12142.diff

File 12142.diff, 3.0 KB (added by ryan, 4 years ago)

Force reauth if cookie validation fails in auth_redirect()

  • wp-login.php

     
    520520                $redirect_to = admin_url(); 
    521521        } 
    522522 
     523        $reauth = empty($_REQUEST['reauth']) ? false : true; 
     524 
    523525        // If the user was redirected to a secure login form from a non-secure admin page, and secure login is required but secure admin is not, then don't use a secure 
    524526        // cookie and redirect back to the referring non-secure admin page.  This allows logins to always be POSTed over SSL while allowing the user to choose visiting 
    525527        // the admin via http or https. 
     
    530532 
    531533        $redirect_to = apply_filters('login_redirect', $redirect_to, isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '', $user); 
    532534 
    533         if ( !is_wp_error($user) ) { 
     535        if ( !is_wp_error($user) && !$reauth ) { 
    534536                if ( $interim_login ) { 
    535537                        $message = '<p class="message">' . __('You have logged in successfully.') . '</p>'; 
    536538                        login_header( '', $message ); ?> 
     
    549551 
    550552        $errors = $user; 
    551553        // Clear errors if loggedout is set. 
    552         if ( !empty($_GET['loggedout']) ) 
     554        if ( !empty($_GET['loggedout']) || $reauth ) 
    553555                $errors = new WP_Error(); 
    554556 
    555557        // If cookies are disabled we can't log in even with a valid user+pass 
     
    570572        elseif  ( $interim_login ) 
    571573                $errors->add('expired', __('Your session has expired. Please log-in again.'), 'message'); 
    572574 
     575        // Clear any stale cookies. 
     576        if ( $reauth ) 
     577                wp_clear_auth_cookie(); 
     578 
    573579        login_header(__('Log In'), '', $errors); 
    574580 
    575581        if ( isset($_POST['log']) ) 
  • wp-includes/general-template.php

     
    228228 * @uses apply_filters() calls 'login_url' hook on final login url 
    229229 * 
    230230 * @param string $redirect Path to redirect to on login. 
     231 * @param bool $force_reauth Whether to force reauthorization, even if a cookie is present. Default is false. 
     232 * @return string A log in url 
    231233 */ 
    232 function wp_login_url($redirect = '') { 
     234function wp_login_url($redirect = '', $force_reauth = false) { 
    233235        $login_url = site_url('wp-login.php', 'login'); 
    234236 
    235         if ( !empty($redirect) ) { 
     237        if ( !empty($redirect) ) 
    236238                $login_url = add_query_arg('redirect_to', urlencode($redirect), $login_url); 
    237         } 
    238239 
     240        if ( $force_reauth ) 
     241                $login_url = add_query_arg('reauth', '1', $login_url); 
     242 
    239243        return apply_filters('login_url', $login_url, $redirect); 
    240244} 
    241245 
  • wp-includes/pluggable.php

     
    799799 
    800800        $redirect = ( strpos($_SERVER['REQUEST_URI'], '/options.php') && wp_get_referer() ) ? wp_get_referer() : $proto . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; 
    801801 
    802         $login_url = wp_login_url($redirect); 
     802        $login_url = wp_login_url($redirect, true); 
    803803 
    804804        wp_redirect($login_url); 
    805805        exit();