Make WordPress Core


Ignore:
Timestamp:
06/11/2008 05:25:55 PM (17 years ago)
Author:
ryan
Message:

Introduce logged_in cookie. Deliver auth cookies only to wp-admin. see #7001

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/pluggable.php

    r8058 r8069  
    101101
    102102    if ( ! $user = wp_validate_auth_cookie() ) {
    103         wp_set_current_user(0);
    104         return false;
     103         if ( empty($_COOKIE[LOGGED_IN_COOKIE]) || !$user = wp_validate_auth_cookie($_COOKIE[LOGGED_IN_COOKIE], 'logged_in') ) {
     104            wp_set_current_user(0);
     105            return false;
     106         }
    105107    }
    106108
     
    466468 *
    467469 * @param string $cookie Optional. If used, will validate contents instead of cookie's
     470 * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
    468471 * @return bool|int False if invalid cookie, User ID if valid.
    469472 */
    470 function wp_validate_auth_cookie($cookie = '') {
     473function wp_validate_auth_cookie($cookie = '', $scheme = 'auth') {
    471474    if ( empty($cookie) ) {
    472         if ( is_ssl() )
     475        if ( is_ssl() ) {
    473476            $cookie_name = SECURE_AUTH_COOKIE;
    474         else
     477            $scheme = 'secure_auth';
     478        } else {
    475479            $cookie_name = AUTH_COOKIE;
     480            $scheme = 'auth';
     481        }
    476482
    477483        if ( empty($_COOKIE[$cookie_name]) )
     
    496502        return false;
    497503
    498     $key = wp_hash($username . '|' . $expiration);
     504    $key = wp_hash($username . '|' . $expiration, $scheme);
    499505    $hash = hash_hmac('md5', $username . '|' . $expiration, $key);
    500506
     
    520526 * @param int $user_id User ID
    521527 * @param int $expiration Cookie expiration in seconds
    522  * @param bool $secure Whether the cookie is for https delivery only or not.  Not used by default.  For plugin use.
     528 * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
    523529 * @return string Authentication cookie contents
    524530 */
    525 function wp_generate_auth_cookie($user_id, $expiration, $secure = false) {
     531function wp_generate_auth_cookie($user_id, $expiration, $scheme = 'auth') {
    526532    $user = get_userdata($user_id);
    527533
    528     $key = wp_hash($user->user_login . '|' . $expiration);
     534    $key = wp_hash($user->user_login . '|' . $expiration, $scheme);
    529535    $hash = hash_hmac('md5', $user->user_login . '|' . $expiration, $key);
    530536
    531537    $cookie = $user->user_login . '|' . $expiration . '|' . $hash;
    532538
    533     return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $secure);
     539    return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $scheme);
    534540}
    535541endif;
     
    549555 * @param bool $remember Whether to remember the user or not
    550556 */
    551 function wp_set_auth_cookie($user_id, $remember = false) {
     557function wp_set_auth_cookie($user_id, $remember = false, $secure = '') {
    552558    if ( $remember ) {
    553559        $expiration = $expire = time() + 1209600;
     
    557563    }
    558564
    559     if ( is_ssl() ) {
    560         $secure = true;
    561         $cookie_name = SECURE_AUTH_COOKIE;
     565    if ( '' === $secure )
     566        $secure = is_ssl() ? true : false;
     567
     568    if ( $secure ) {
     569        $auth_cookie_name = SECURE_AUTH_COOKIE;
     570        $scheme = 'secure_auth';
    562571    } else {
    563         $secure = false;
    564         $cookie_name = AUTH_COOKIE;
    565     }
    566 
    567     $cookie = wp_generate_auth_cookie($user_id, $expiration, $secure);
    568 
    569     do_action('set_auth_cookie', $cookie, $expire, $secure);
    570 
    571     setcookie($cookie_name, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure);
     572        $auth_cookie_name = AUTH_COOKIE;
     573        $scheme = 'auth';
     574    }
     575
     576    $auth_cookie = wp_generate_auth_cookie($user_id, $expiration, $scheme);
     577    $logged_in_cookie = wp_generate_auth_cookie($user_id, $expiration, 'logged_in');
     578
     579    do_action('set_auth_cookie', $auth_cookie, $expire, $scheme);
     580    do_action('set_auth_cookie', $logged_in_cookie, $expire, 'logged_in');
     581
     582    setcookie($auth_cookie_name, $auth_cookie, $expire, SITECOOKIEPATH . 'wp-admin', COOKIE_DOMAIN, $secure);
     583    setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN);
    572584    if ( COOKIEPATH != SITECOOKIEPATH )
    573         setcookie($cookie_name, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure);
     585        setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN);
    574586}
    575587endif;
     
    582594 */
    583595function wp_clear_auth_cookie() {
    584     setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
    585     setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
    586     setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
    587     setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
     596    setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
     597    setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
     598    setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
     599    setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
     600    setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
     601    setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
    588602
    589603    // Old cookies
     
    622636    // Checks if a user is logged in, if not redirects them to the login page
    623637
    624     if ( is_ssl() || (defined('FORCE_SSL_LOGIN') && FORCE_SSL_LOGIN) )
     638    if ( is_ssl() || force_ssl_admin() )
    625639        $secure = true;
    626640    else
     
    629643    // If https is required and request is http, redirect
    630644    if ( $secure && !is_ssl() ) {
    631         if ( false !== strpos($_SERVER['REQUEST_URI'], 'http') ) {
    632             wp_redirect(str_replace('http://', 'https://', $_SERVER['REQUEST_URI']));
     645        if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
     646            wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']));
    633647            exit();
    634648        } else {
     
    644658    nocache_headers();
    645659
    646     $login_url = site_url( 'wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']), 'forceable' );
     660    if ( is_ssl() )
     661        $proto = 'https://';
     662    else
     663        $proto = 'http://';
     664
     665    $login_url = site_url( 'wp-login.php?redirect_to=' . urlencode($proto . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']), 'login' );
    647666
    648667    wp_redirect($login_url);
     
    972991    $message  = sprintf(__('Username: %s'), $user_login) . "\r\n";
    973992    $message .= sprintf(__('Password: %s'), $plaintext_pass) . "\r\n";
    974     $message .= site_url("wp-login.php", 'forceable') . "\r\n";
     993    $message .= site_url("wp-login.php", 'login') . "\r\n";
    975994
    976995    wp_mail($user_email, sprintf(__('[%s] Your username and password'), get_option('blogname')), $message);
     
    10791098 * @return string Salt value from either 'SECRET_KEY' or 'secret' option
    10801099 */
    1081 function wp_salt() {
     1100function wp_salt($scheme = 'auth') {
    10821101    global $wp_default_secret_key;
    10831102    $secret_key = '';
     
    10851104        $secret_key = SECRET_KEY;
    10861105
    1087     if ( defined('SECRET_SALT') ) {
    1088         $salt = SECRET_SALT;
    1089     } else {
    1090         $salt = get_option('secret');
    1091         if ( empty($salt) ) {
    1092             $salt = wp_generate_password();
    1093             update_option('secret', $salt);
     1106    if ( 'auth' == $scheme ) {
     1107        if ( defined('AUTH_KEY') && ('' != AUTH_KEY) && ( $wp_default_secret_key != AUTH_KEY) )
     1108            $secret_key = AUTH_KEY;
     1109
     1110        if ( defined('AUTH_SALT') ) {
     1111            $salt = AUTH_SALT;
     1112        } elseif ( defined('SECRET_SALT') ) {
     1113            $salt = SECRET_SALT;
     1114        } else {
     1115            $salt = get_option('auth_salt');
     1116            if ( empty($salt) ) {
     1117                $salt = wp_generate_password();
     1118                update_option('auth_salt', $salt);
     1119            }
    10941120        }
    1095     }
    1096 
    1097     return apply_filters('salt', $secret_key . $salt);
     1121    } elseif ( 'secure_auth' == $scheme ) {
     1122        if ( defined('SECURE_AUTH_KEY') && ('' != SECURE_AUTH_KEY) && ( $wp_default_secret_key != SECURE_AUTH_KEY) )
     1123            $secret_key = SECURE_AUTH_KEY;
     1124
     1125        if ( defined('SECURE_AUTH_SALT') ) {
     1126            $salt = SECRET_AUTH_SALT;
     1127        } else {
     1128            $salt = get_option('secure_auth_salt');
     1129            if ( empty($salt) ) {
     1130                $salt = wp_generate_password();
     1131                update_option('secure_auth_salt', $salt);
     1132            }
     1133        }
     1134    } elseif ( 'logged_in' == $scheme ) {
     1135        if ( defined('LOGGED_IN_KEY') && ('' != LOGGED_IN_KEY) && ( $wp_default_secret_key != LOGGED_IN_KEY) )
     1136            $secret_key = LOGGED_IN_KEY;
     1137
     1138        if ( defined('LOGGED_IN_SALT') ) {
     1139            $salt = LOGGED_IN_SALT;
     1140        } else {
     1141            $salt = get_option('logged_in_salt');
     1142            if ( empty($salt) ) {
     1143                $salt = wp_generate_password();
     1144                update_option('logged_in_salt', $salt);
     1145            }
     1146        }
     1147    }
     1148
     1149    return apply_filters('salt', $secret_key . $salt, $scheme);
    10981150}
    10991151endif;
     
    11091161 * @return string Hash of $data
    11101162 */
    1111 function wp_hash($data) {
    1112     $salt = wp_salt();
     1163function wp_hash($data, $scheme = 'auth') {
     1164    $salt = wp_salt($scheme);
    11131165
    11141166    return hash_hmac('md5', $data, $salt);
Note: See TracChangeset for help on using the changeset viewer.