WordPress.org

Make WordPress Core

Ticket #15330: 15330.diff

File 15330.diff, 2.8 KB (added by ryan, 7 years ago)

Allow plugins more control over secure cookies.

  • wp-includes/user.php

     
    4343        if ( '' === $secure_cookie )
    4444                $secure_cookie = is_ssl();
    4545
     46        $secure_cookie = apply_filters('secure_signon_cookie', $secure_cookie, $credentials);
     47
    4648        global $auth_secure_cookie; // XXX ugly hack to pass this to wp_authenticate_cookie
    4749        $auth_secure_cookie = $secure_cookie;
    4850
  • wp-includes/pluggable.php

     
    671671        if ( '' === $secure )
    672672                $secure = is_ssl();
    673673
     674        $secure = apply_filters('secure_auth_cookie', $secure, $user_id);
     675        $secure_logged_in_cookie = apply_filters('secure_logged_in_cookie', false, $user_id, $secure);
     676
    674677        if ( $secure ) {
    675678                $auth_cookie_name = SECURE_AUTH_COOKIE;
    676679                $scheme = 'secure_auth';
     
    689692        if ( version_compare(phpversion(), '5.2.0', 'ge') ) {
    690693                setcookie($auth_cookie_name, $auth_cookie, $expire, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN, $secure, true);
    691694                setcookie($auth_cookie_name, $auth_cookie, $expire, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, $secure, true);
    692                 setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, false, true);
     695                setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true);
    693696                if ( COOKIEPATH != SITECOOKIEPATH )
    694                         setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, false, true);
     697                        setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true);
    695698        } else {
    696699                $cookie_domain = COOKIE_DOMAIN;
    697700                if ( !empty($cookie_domain) )
    698701                        $cookie_domain .= '; HttpOnly';
    699702                setcookie($auth_cookie_name, $auth_cookie, $expire, PLUGINS_COOKIE_PATH, $cookie_domain, $secure);
    700703                setcookie($auth_cookie_name, $auth_cookie, $expire, ADMIN_COOKIE_PATH, $cookie_domain, $secure);
    701                 setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, $cookie_domain);
     704                setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, $cookie_domain, $secure_logged_in_cookie);
    702705                if ( COOKIEPATH != SITECOOKIEPATH )
    703                         setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, $cookie_domain);
     706                        setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, $cookie_domain, $secure_logged_in_cookie);
    704707        }
    705708}
    706709endif;
     
    764767
    765768        $secure = ( is_ssl() || force_ssl_admin() );
    766769
     770        $secure = apply_filters('secure_auth_redirect', $secure);
     771
    767772        // If https is required and request is http, redirect
    768773        if ( $secure && !is_ssl() && false !== strpos($_SERVER['REQUEST_URI'], 'wp-admin') ) {
    769774                if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {