WordPress.org

Make WordPress Core

Ticket #15330: 15330.diff

File 15330.diff, 2.8 KB (added by ryan, 4 years ago)

Allow plugins more control over secure cookies.

  • wp-includes/user.php

     
    4343        if ( '' === $secure_cookie ) 
    4444                $secure_cookie = is_ssl(); 
    4545 
     46        $secure_cookie = apply_filters('secure_signon_cookie', $secure_cookie, $credentials); 
     47 
    4648        global $auth_secure_cookie; // XXX ugly hack to pass this to wp_authenticate_cookie 
    4749        $auth_secure_cookie = $secure_cookie; 
    4850 
  • wp-includes/pluggable.php

     
    671671        if ( '' === $secure ) 
    672672                $secure = is_ssl(); 
    673673 
     674        $secure = apply_filters('secure_auth_cookie', $secure, $user_id); 
     675        $secure_logged_in_cookie = apply_filters('secure_logged_in_cookie', false, $user_id, $secure); 
     676 
    674677        if ( $secure ) { 
    675678                $auth_cookie_name = SECURE_AUTH_COOKIE; 
    676679                $scheme = 'secure_auth'; 
     
    689692        if ( version_compare(phpversion(), '5.2.0', 'ge') ) { 
    690693                setcookie($auth_cookie_name, $auth_cookie, $expire, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN, $secure, true); 
    691694                setcookie($auth_cookie_name, $auth_cookie, $expire, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, $secure, true); 
    692                 setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, false, true); 
     695                setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true); 
    693696                if ( COOKIEPATH != SITECOOKIEPATH ) 
    694                         setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, false, true); 
     697                        setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true); 
    695698        } else { 
    696699                $cookie_domain = COOKIE_DOMAIN; 
    697700                if ( !empty($cookie_domain) ) 
    698701                        $cookie_domain .= '; HttpOnly'; 
    699702                setcookie($auth_cookie_name, $auth_cookie, $expire, PLUGINS_COOKIE_PATH, $cookie_domain, $secure); 
    700703                setcookie($auth_cookie_name, $auth_cookie, $expire, ADMIN_COOKIE_PATH, $cookie_domain, $secure); 
    701                 setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, $cookie_domain); 
     704                setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, $cookie_domain, $secure_logged_in_cookie); 
    702705                if ( COOKIEPATH != SITECOOKIEPATH ) 
    703                         setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, $cookie_domain); 
     706                        setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, $cookie_domain, $secure_logged_in_cookie); 
    704707        } 
    705708} 
    706709endif; 
     
    764767 
    765768        $secure = ( is_ssl() || force_ssl_admin() ); 
    766769 
     770        $secure = apply_filters('secure_auth_redirect', $secure); 
     771 
    767772        // If https is required and request is http, redirect 
    768773        if ( $secure && !is_ssl() && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin') ) { 
    769774                if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {