Changeset 14556

Timestamp:

05/11/2010 01:44:40 PM (15 years ago)

Author:

ryan

Message:

Force reauth when auth_redirect() redirects to login. see #12142

Location:

trunk

Files:

• wp-includes/general-template.php (modified) (1 diff)
• wp-includes/pluggable.php (modified) (1 diff)
• wp-login.php (modified) (4 diffs)

trunk/wp-includes/general-template.php

@@ -229 +229 @@
  *
  * @param string $redirect Path to redirect to on login.
- */
-function wp_login_url($redirect = '') {
+ * @param bool $force_reauth Whether to force reauthorization, even if a cookie is present. Default is false.
+ * @return string A log in url
+ */
+function wp_login_url($redirect = '', $force_reauth = false) {
     $login_url = site_url('wp-login.php', 'login');
 
-    if ( !empty($redirect) ) {
+    if ( !empty($redirect) )
         $login_url = add_query_arg('redirect_to', urlencode($redirect), $login_url);
-    }
+
+    if ( $force_reauth )
+        $login_url = add_query_arg('reauth', '1', $login_url);
 
     return apply_filters('login_url', $login_url, $redirect);

trunk/wp-includes/pluggable.php

@@ -800 +800 @@
     $redirect = ( strpos($_SERVER['REQUEST_URI'], '/options.php') && wp_get_referer() ) ? wp_get_referer() : $proto . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
 
-    $login_url = wp_login_url($redirect);
+    $login_url = wp_login_url($redirect, true);
 
     wp_redirect($login_url);

trunk/wp-login.php

@@ -521 +521 @@
     }
 
+    $reauth = empty($_REQUEST['reauth']) ? false : true;
+
     // If the user was redirected to a secure login form from a non-secure admin page, and secure login is required but secure admin is not, then don't use a secure
     // cookie and redirect back to the referring non-secure admin page.  This allows logins to always be POSTed over SSL while allowing the user to choose visiting
@@ -531 +533 @@
     $redirect_to = apply_filters('login_redirect', $redirect_to, isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '', $user);
 
-    if ( !is_wp_error($user) ) {
+    if ( !is_wp_error($user) && !$reauth ) {
         if ( $interim_login ) {
             $message = '<p class="message">' . __('You have logged in successfully.') . '</p>';
@@ -550 +552 @@
     $errors = $user;
     // Clear errors if loggedout is set.
-    if ( !empty($_GET['loggedout']) )
+    if ( !empty($_GET['loggedout']) || $reauth )
         $errors = new WP_Error();
 
@@ -570 +572 @@
     elseif  ( $interim_login )
         $errors->add('expired', __('Your session has expired. Please log-in again.'), 'message');
+
+    // Clear any stale cookies.
+    if ( $reauth )
+        wp_clear_auth_cookie();
 
     login_header(__('Log In'), '', $errors);