WordPress.org

Make WordPress Core

Changeset 8069


Ignore:
Timestamp:
06/11/2008 05:25:55 PM (12 years ago)
Author:
ryan
Message:

Introduce logged_in cookie. Deliver auth cookies only to wp-admin. see #7001

Location:
trunk
Files:
8 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/admin-header.php

    r8036 r8069  
    112112<?php } ?>
    113113
    114 <div id="user_info"><p><?php printf(__('Howdy, <a href="%1$s">%2$s</a>!'), 'profile.php', $user_identity) ?> | <a href="<?php echo site_url('wp-login.php?action=logout') ?>" title="<?php _e('Log Out') ?>"><?php _e('Log Out'); ?></a> | <?php _e('<a href="http://codex.wordpress.org/">Help</a>') ?> | <?php _e('<a href="http://wordpress.org/support/">Forums</a>') ?> | <?php if ( $gears_compat ) { ?><span id="gears-menu"><a href="#" onclick="wpGears.message(1);return false;"><?php _e('Speed up!') ?></a></span><?php } ?></p></div>
     114<div id="user_info"><p><?php printf(__('Howdy, <a href="%1$s">%2$s</a>!'), 'profile.php', $user_identity) ?> | <a href="<?php echo site_url('wp-login.php?action=logout', 'login') ?>" title="<?php _e('Log Out') ?>"><?php _e('Log Out'); ?></a> | <?php _e('<a href="http://codex.wordpress.org/">Help</a>') ?> | <?php _e('<a href="http://wordpress.org/support/">Forums</a>') ?> | <?php if ( $gears_compat ) { ?><span id="gears-menu"><a href="#" onclick="wpGears.message(1);return false;"><?php _e('Speed up!') ?></a></span><?php } ?></p></div>
    115115
    116116<?php
  • trunk/wp-includes/functions.php

    r7999 r8069  
    17691769    return ( 'on' == strtolower($_SERVER['HTTPS']) ) ? true : false;
    17701770}
     1771
     1772function force_ssl_login($force = '') {
     1773    static $forced;
     1774
     1775    if ( '' != $force ) {
     1776        $old_forcded = $forced;
     1777        $forced = $force;
     1778        return $old_forced;
     1779    }
     1780
     1781    return $forced;
     1782}
     1783
     1784function force_ssl_admin($force = '') {
     1785    static $forced;
     1786
     1787    if ( '' != $force ) {
     1788        $old_forcded = $forced;
     1789        $forced = $force;
     1790        return $old_forced;
     1791    }
     1792
     1793    return $forced;
     1794}
     1795
    17711796?>
  • trunk/wp-includes/general-template.php

    r8058 r8069  
    3434function wp_loginout() {
    3535    if ( ! is_user_logged_in() )
    36         $link = '<a href="' . site_url('wp-login.php', 'forceable') . '">' . __('Log in') . '</a>';
     36        $link = '<a href="' . site_url('wp-login.php', 'login') . '">' . __('Log in') . '</a>';
    3737    else
    38         $link = '<a href="' . site_url('wp-login.php?action=logout', 'forceable') . '">' . __('Log out') . '</a>';
     38        $link = '<a href="' . site_url('wp-login.php?action=logout', 'login') . '">' . __('Log out') . '</a>';
    3939
    4040    echo apply_filters('loginout', $link);
     
    4646    if ( ! is_user_logged_in() ) {
    4747        if ( get_option('users_can_register') )
    48             $link = $before . '<a href="' . site_url('wp-login.php?action=register', 'forceable') . '">' . __('Register') . '</a>' . $after;
     48            $link = $before . '<a href="' . site_url('wp-login.php?action=register', 'login') . '">' . __('Register') . '</a>' . $after;
    4949        else
    5050            $link = '';
  • trunk/wp-includes/link-template.php

    r8058 r8069  
    781781    // should the list of allowed schemes be maintained elsewhere?
    782782    if ( !in_array($scheme, array('http', 'https')) ) {
    783         if ( ('forceable' == $scheme) && (defined('FORCE_SSL_LOGIN') && FORCE_SSL_LOGIN) )
     783        if ( ('login' == $scheme) && ( force_ssl_login() || force_ssl_admin() ) )
     784            $scheme = 'https';
     785        elseif ( ('admin' == $scheme) && force_ssl_admin() )
    784786            $scheme = 'https';
    785787        else
     
    798800    global $_wp_admin_url;
    799801
    800     $url = site_url('wp-admin/', 'forceable');
     802    $url = site_url('wp-admin/', 'admin');
    801803
    802804    if ( !empty($path) && is_string($path) && strpos($path, '..') === false )
  • trunk/wp-includes/pluggable.php

    r8058 r8069  
    101101
    102102    if ( ! $user = wp_validate_auth_cookie() ) {
    103         wp_set_current_user(0);
    104         return false;
     103         if ( empty($_COOKIE[LOGGED_IN_COOKIE]) || !$user = wp_validate_auth_cookie($_COOKIE[LOGGED_IN_COOKIE], 'logged_in') ) {
     104            wp_set_current_user(0);
     105            return false;
     106         }
    105107    }
    106108
     
    466468 *
    467469 * @param string $cookie Optional. If used, will validate contents instead of cookie's
     470 * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
    468471 * @return bool|int False if invalid cookie, User ID if valid.
    469472 */
    470 function wp_validate_auth_cookie($cookie = '') {
     473function wp_validate_auth_cookie($cookie = '', $scheme = 'auth') {
    471474    if ( empty($cookie) ) {
    472         if ( is_ssl() )
     475        if ( is_ssl() ) {
    473476            $cookie_name = SECURE_AUTH_COOKIE;
    474         else
     477            $scheme = 'secure_auth';
     478        } else {
    475479            $cookie_name = AUTH_COOKIE;
     480            $scheme = 'auth';
     481        }
    476482
    477483        if ( empty($_COOKIE[$cookie_name]) )
     
    496502        return false;
    497503
    498     $key = wp_hash($username . '|' . $expiration);
     504    $key = wp_hash($username . '|' . $expiration, $scheme);
    499505    $hash = hash_hmac('md5', $username . '|' . $expiration, $key);
    500506
     
    520526 * @param int $user_id User ID
    521527 * @param int $expiration Cookie expiration in seconds
    522  * @param bool $secure Whether the cookie is for https delivery only or not.  Not used by default.  For plugin use.
     528 * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
    523529 * @return string Authentication cookie contents
    524530 */
    525 function wp_generate_auth_cookie($user_id, $expiration, $secure = false) {
     531function wp_generate_auth_cookie($user_id, $expiration, $scheme = 'auth') {
    526532    $user = get_userdata($user_id);
    527533
    528     $key = wp_hash($user->user_login . '|' . $expiration);
     534    $key = wp_hash($user->user_login . '|' . $expiration, $scheme);
    529535    $hash = hash_hmac('md5', $user->user_login . '|' . $expiration, $key);
    530536
    531537    $cookie = $user->user_login . '|' . $expiration . '|' . $hash;
    532538
    533     return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $secure);
     539    return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $scheme);
    534540}
    535541endif;
     
    549555 * @param bool $remember Whether to remember the user or not
    550556 */
    551 function wp_set_auth_cookie($user_id, $remember = false) {
     557function wp_set_auth_cookie($user_id, $remember = false, $secure = '') {
    552558    if ( $remember ) {
    553559        $expiration = $expire = time() + 1209600;
     
    557563    }
    558564
    559     if ( is_ssl() ) {
    560         $secure = true;
    561         $cookie_name = SECURE_AUTH_COOKIE;
     565    if ( '' === $secure )
     566        $secure = is_ssl() ? true : false;
     567
     568    if ( $secure ) {
     569        $auth_cookie_name = SECURE_AUTH_COOKIE;
     570        $scheme = 'secure_auth';
    562571    } else {
    563         $secure = false;
    564         $cookie_name = AUTH_COOKIE;
    565     }
    566 
    567     $cookie = wp_generate_auth_cookie($user_id, $expiration, $secure);
    568 
    569     do_action('set_auth_cookie', $cookie, $expire, $secure);
    570 
    571     setcookie($cookie_name, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure);
     572        $auth_cookie_name = AUTH_COOKIE;
     573        $scheme = 'auth';
     574    }
     575
     576    $auth_cookie = wp_generate_auth_cookie($user_id, $expiration, $scheme);
     577    $logged_in_cookie = wp_generate_auth_cookie($user_id, $expiration, 'logged_in');
     578
     579    do_action('set_auth_cookie', $auth_cookie, $expire, $scheme);
     580    do_action('set_auth_cookie', $logged_in_cookie, $expire, 'logged_in');
     581
     582    setcookie($auth_cookie_name, $auth_cookie, $expire, SITECOOKIEPATH . 'wp-admin', COOKIE_DOMAIN, $secure);
     583    setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN);
    572584    if ( COOKIEPATH != SITECOOKIEPATH )
    573         setcookie($cookie_name, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure);
     585        setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN);
    574586}
    575587endif;
     
    582594 */
    583595function wp_clear_auth_cookie() {
    584     setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
    585     setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
    586     setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
    587     setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
     596    setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
     597    setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
     598    setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
     599    setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
     600    setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
     601    setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
    588602
    589603    // Old cookies
     
    622636    // Checks if a user is logged in, if not redirects them to the login page
    623637
    624     if ( is_ssl() || (defined('FORCE_SSL_LOGIN') && FORCE_SSL_LOGIN) )
     638    if ( is_ssl() || force_ssl_admin() )
    625639        $secure = true;
    626640    else
     
    629643    // If https is required and request is http, redirect
    630644    if ( $secure && !is_ssl() ) {
    631         if ( false !== strpos($_SERVER['REQUEST_URI'], 'http') ) {
    632             wp_redirect(str_replace('http://', 'https://', $_SERVER['REQUEST_URI']));
     645        if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
     646            wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']));
    633647            exit();
    634648        } else {
     
    644658    nocache_headers();
    645659
    646     $login_url = site_url( 'wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']), 'forceable' );
     660    if ( is_ssl() )
     661        $proto = 'https://';
     662    else
     663        $proto = 'http://';
     664
     665    $login_url = site_url( 'wp-login.php?redirect_to=' . urlencode($proto . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']), 'login' );
    647666
    648667    wp_redirect($login_url);
     
    972991    $message  = sprintf(__('Username: %s'), $user_login) . "\r\n";
    973992    $message .= sprintf(__('Password: %s'), $plaintext_pass) . "\r\n";
    974     $message .= site_url("wp-login.php", 'forceable') . "\r\n";
     993    $message .= site_url("wp-login.php", 'login') . "\r\n";
    975994
    976995    wp_mail($user_email, sprintf(__('[%s] Your username and password'), get_option('blogname')), $message);
     
    10791098 * @return string Salt value from either 'SECRET_KEY' or 'secret' option
    10801099 */
    1081 function wp_salt() {
     1100function wp_salt($scheme = 'auth') {
    10821101    global $wp_default_secret_key;
    10831102    $secret_key = '';
     
    10851104        $secret_key = SECRET_KEY;
    10861105
    1087     if ( defined('SECRET_SALT') ) {
    1088         $salt = SECRET_SALT;
    1089     } else {
    1090         $salt = get_option('secret');
    1091         if ( empty($salt) ) {
    1092             $salt = wp_generate_password();
    1093             update_option('secret', $salt);
     1106    if ( 'auth' == $scheme ) {
     1107        if ( defined('AUTH_KEY') && ('' != AUTH_KEY) && ( $wp_default_secret_key != AUTH_KEY) )
     1108            $secret_key = AUTH_KEY;
     1109
     1110        if ( defined('AUTH_SALT') ) {
     1111            $salt = AUTH_SALT;
     1112        } elseif ( defined('SECRET_SALT') ) {
     1113            $salt = SECRET_SALT;
     1114        } else {
     1115            $salt = get_option('auth_salt');
     1116            if ( empty($salt) ) {
     1117                $salt = wp_generate_password();
     1118                update_option('auth_salt', $salt);
     1119            }
    10941120        }
    1095     }
    1096 
    1097     return apply_filters('salt', $secret_key . $salt);
     1121    } elseif ( 'secure_auth' == $scheme ) {
     1122        if ( defined('SECURE_AUTH_KEY') && ('' != SECURE_AUTH_KEY) && ( $wp_default_secret_key != SECURE_AUTH_KEY) )
     1123            $secret_key = SECURE_AUTH_KEY;
     1124
     1125        if ( defined('SECURE_AUTH_SALT') ) {
     1126            $salt = SECRET_AUTH_SALT;
     1127        } else {
     1128            $salt = get_option('secure_auth_salt');
     1129            if ( empty($salt) ) {
     1130                $salt = wp_generate_password();
     1131                update_option('secure_auth_salt', $salt);
     1132            }
     1133        }
     1134    } elseif ( 'logged_in' == $scheme ) {
     1135        if ( defined('LOGGED_IN_KEY') && ('' != LOGGED_IN_KEY) && ( $wp_default_secret_key != LOGGED_IN_KEY) )
     1136            $secret_key = LOGGED_IN_KEY;
     1137
     1138        if ( defined('LOGGED_IN_SALT') ) {
     1139            $salt = LOGGED_IN_SALT;
     1140        } else {
     1141            $salt = get_option('logged_in_salt');
     1142            if ( empty($salt) ) {
     1143                $salt = wp_generate_password();
     1144                update_option('logged_in_salt', $salt);
     1145            }
     1146        }
     1147    }
     1148
     1149    return apply_filters('salt', $secret_key . $salt, $scheme);
    10981150}
    10991151endif;
     
    11091161 * @return string Hash of $data
    11101162 */
    1111 function wp_hash($data) {
    1112     $salt = wp_salt();
     1163function wp_hash($data, $scheme = 'auth') {
     1164    $salt = wp_salt($scheme);
    11131165
    11141166    return hash_hmac('md5', $data, $salt);
  • trunk/wp-includes/user.php

    r7742 r8069  
    11<?php
    22
    3 function wp_signon( $credentials = '' ) {
     3function wp_signon( $credentials = '', $secure_cookie = '' ) {
    44    if ( empty($credentials) ) {
    55        if ( ! empty($_POST['log']) )
     
    2222    do_action_ref_array('wp_authenticate', array(&$credentials['user_login'], &$credentials['user_password']));
    2323
     24    if ( '' === $secure_cookie )
     25        $secure_cookie = is_ssl() ? true : false;
     26   
    2427    // If no credential info provided, check cookie.
    2528    if ( empty($credentials['user_login']) && empty($credentials['user_password']) ) {
     
    2831                return new WP_User($user);
    2932
    30             if ( !empty($_COOKIE[AUTH_COOKIE]) )
     33            if ( $secure_cookie )
     34                $auth_cookie = SECURE_AUTH_COOKIE;
     35            else
     36                $auth_cookie = AUTH_COOKIE;
     37
     38            if ( !empty($_COOKIE[$auth_cookie]) )
    3139                return new WP_Error('expired_session', __('Please log in again.'));
    3240
     
    4957        return $user;
    5058
    51     wp_set_auth_cookie($user->ID, $credentials['remember']);
     59    wp_set_auth_cookie($user->ID, $credentials['remember'], $secure_cookie);
    5260    do_action('wp_login', $credentials['user_login']);
    5361    return $user;
  • trunk/wp-login.php

    r8061 r8069  
    1111/** Make sure that the WordPress bootstrap has ran before continuing. */
    1212require( dirname(__FILE__) . '/wp-load.php' );
     13
     14// Redirect to https login if forced to use SSL
     15if ( (force_ssl_admin() || force_ssl_login()) && !is_ssl() ) {
     16    if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
     17        wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']));
     18        exit();
     19    } else {
     20        wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
     21        exit();         
     22    }
     23}
    1324
    1425/**
     
    138149    $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
    139150    $message .= __('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.') . "\r\n\r\n";
    140     $message .= site_url("wp-login.php?action=rp&key=$key") . "\r\n";
     151    $message .= site_url("wp-login.php?action=rp&key=$key", 'login') . "\r\n";
    141152
    142153    if ( !wp_mail($user_email, sprintf(__('[%s] Password Reset'), get_option('blogname')), $message) )
     
    175186    $message  = sprintf(__('Username: %s'), $user->user_login) . "\r\n";
    176187    $message .= sprintf(__('Password: %s'), $new_pass) . "\r\n";
    177     $message .= site_url('wp-login.php') . "\r\n";
     188    $message .= site_url('wp-login.php', 'login') . "\r\n";
    178189
    179190    if (  !wp_mail($user->user_email, sprintf(__('[%s] Your new password'), get_option('blogname')), $message) )
     
    313324<p id="nav">
    314325<?php if (get_option('users_can_register')) : ?>
    315 <a href="<?php echo site_url('wp-login.php', 'forceable') ?>"><?php _e('Log in') ?></a> |
    316 <a href="<?php echo site_url('wp-login.php?action=register') ?>"><?php _e('Register') ?></a>
     326<a href="<?php echo site_url('wp-login.php', 'login') ?>"><?php _e('Log in') ?></a> |
     327<a href="<?php echo site_url('wp-login.php?action=register', 'login') ?>"><?php _e('Register') ?></a>
    317328<?php else : ?>
    318 <a href="<?php echo site_url('wp-login.php', 'forceable') ?>"><?php _e('Log in') ?></a>
     329<a href="<?php echo site_url('wp-login.php', 'login') ?>"><?php _e('Log in') ?></a>
    319330<?php endif; ?>
    320331</p>
     
    381392
    382393<p id="nav">
    383 <a href="<?php echo site_url('wp-login.php', 'forceable') ?>"><?php _e('Log in') ?></a> |
    384 <a href="<?php echo site_url('wp-login.php?action=lostpassword') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
     394<a href="<?php echo site_url('wp-login.php', 'login') ?>"><?php _e('Log in') ?></a> |
     395<a href="<?php echo site_url('wp-login.php?action=lostpassword', 'login') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
    385396</p>
    386397
     
    396407case 'login' :
    397408default:
    398     $user = wp_signon();
    399 
    400409    if ( isset( $_REQUEST['redirect_to'] ) )
    401410        $redirect_to = $_REQUEST['redirect_to'];
    402411    else
    403412        $redirect_to = 'wp-admin/';
     413
     414    if ( is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) )
     415        $secure_cookie = false;
     416    else
     417        $secure_cookie = '';
     418
     419    $user = wp_signon('', $secure_cookie);
    404420
    405421    if ( !is_wp_error($user) ) {
     
    455471<?php if ( isset($_GET['checkemail']) && in_array( $_GET['checkemail'], array('confirm', 'newpass') ) ) : ?>
    456472<?php elseif (get_option('users_can_register')) : ?>
    457 <a href="<?php echo site_url('wp-login.php?action=register') ?>"><?php _e('Register') ?></a> |
    458 <a href="<?php echo site_url('wp-login.php?action=lostpassword') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
     473<a href="<?php echo site_url('wp-login.php?action=register', 'login') ?>"><?php _e('Register') ?></a> |
     474<a href="<?php echo site_url('wp-login.php?action=lostpassword', 'login') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
    459475<?php else : ?>
    460 <a href="<?php echo site_url('wp-login.php?action=lostpassword') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
     476<a href="<?php echo site_url('wp-login.php?action=lostpassword', 'login') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
    461477<?php endif; ?>
    462478</p>
  • trunk/wp-settings.php

    r8068 r8069  
    335335/**
    336336 * It is possible to define this in wp-config.php
     337 * @since 2.6
     338 */
     339if ( !defined('LOGGED_IN_COOKIE') )
     340    define('LOGGED_IN_COOKIE', 'wordpress_logged_in_' . COOKIEHASH);
     341
     342/**
     343 * It is possible to define this in wp-config.php
    337344 * @since 2.3.0
    338345 */
     
    360367if ( !defined('COOKIE_DOMAIN') )
    361368    define('COOKIE_DOMAIN', false);
    362    
     369
     370/**
     371 * It is possible to define this in wp-config.php
     372 * @since 2.6
     373 */
     374if ( !defined('FORCE_SSL_ADMIN') )
     375    define('FORCE_SSL_ADMIN', false);
     376force_ssl_admin(FORCE_SSL_ADMIN);
     377
     378/**
     379 * It is possible to define this in wp-config.php
     380 * @since 2.6
     381 */
     382if ( !defined('FORCE_SSL_LOGIN') )
     383    define('FORCE_SSL_LOGIN', false);
     384force_ssl_login(FORCE_SSL_LOGIN);
     385
    363386/**
    364387 * It is possible to define this in wp-config.php
Note: See TracChangeset for help on using the changeset viewer.