__group__ ticket summary owner _component _version priority severity milestone type _status workflow _created modified _description _reporter
Candidates for Closure 50637 Forgot password reset link become text after sending email. Login and Registration 5.4.2 normal minor Awaiting Review defect (bug) new reporter-feedback 2020-07-12T16:28:18Z 2023-08-21T11:49:04Z "Forgot password reset link become text after sending email.
https://i.ibb.co/Db13D7M/WP-Reset-email.png
Like upper image it convert url link into
tag.
" tfarzan007
Candidates for Closure 50672 Login Mask jerks when I define Privacy Policy page in Chrome Browser Login and Registration 5.4.2 normal normal Awaiting Review defect (bug) new reporter-feedback 2020-07-15T19:50:30Z 2023-08-21T11:55:44Z "Login Mask jerks when define Privacy Policy page. The problem occurs only in Chrome Browser and /wp-login.php
[https://dl.dropbox.com/s/8a7gqtakajn7ey6/Login%20jerks.gif]
" Frank Noack
Candidates for Closure 34372 Password reset link invalid for user names containing blanks Login and Registration 4.3.1 normal normal Awaiting Review defect (bug) new reporter-feedback 2015-10-20T18:35:44Z 2021-01-12T21:56:43Z When a user name contains a blank, resetting the corresponding password. The URL in the reset email will contain a blank, at which point the link will be interrupted. ditler
Candidates for Closure 45816 Reset password is not working Login and Registration 5.0.1 normal normal Awaiting Review defect (bug) new reporter-feedback 2019-01-03T14:58:29Z 2019-01-07T10:18:55Z "Hello
When I update wordpress version-5.0.1, I have not getting reset link on mail. I am using ""Pie Register – Custom Registration Form and User Login WordPress Plugin"" this plugin for login-registration." poojabeeline
Candidates for Closure 37857 Strange behaviour for COOKIE_DOMAIN since Wordpress 4.6 Login and Registration 4.6 normal normal Awaiting Review defect (bug) new reporter-feedback 2016-08-28T11:53:15Z 2023-10-05T01:04:22Z "I hope I am right here, because since the last update for WordPress 4.6 there is a very strange behaviour with the by hand sedate constant COOKIE_DOMAIN.
I have adapted COOKIE_DOMAIN in wp-config.php to be able to use the same login data about multible domains away.
Since the update for WordPress 4.6 this causes problems with the browser cache for all dynamic data transfers, like forms etc. Not only in WordPress, but also in form-plugins or WooCommerce.
With the example WooCommerce: data for the goods basket are updated always only after a renewed page-reload. That means, if you go to basket, no changes are active. You need to reload the basket to see the changes in action. The same behavior with changes in forms for addresses etc.
Absolutely no caching module is active. If browser caching is disabled, everything works fine.
These are the changes I've made for the COOKIE_DOMAIN in wp-config.php:
{{{#!php
add( 'username_space', __( 'Username cannot contain spaces.', 'text-domain' ) );
}
return $errors;
}
add_filter( 'registration_errors', 'prefix_check_username_for_spaces', 10, 3 );
}}}
" wparslan
Candidates for Closure 52964 Video On Login Page Login and Registration normal normal Awaiting Review enhancement new reporter-feedback 2021-04-03T12:12:29Z 2023-08-16T16:43:16Z "So I was wondering about how can I add a video as a background of the login form by editing the login form's code.
Turns out we cannot as there is no vector to do so.
Can we add a hook to do so..?" wparslan
Tickets Needing Feedback 38079 Add hooks before output for each action in wp-login.php voldemortensen Login and Registration 4.7 normal normal Future Release enhancement assigned reporter-feedback 2016-09-17T19:13:19Z 2017-10-03T05:59:58Z "7 years ago, in #9682, `wp-login.php` was made more pluggable. The thing is, if you just want to change the look (as my plugin ""Theme My Login"" does), you also have to replicate the logic.
Having an action that fires just before the `login_header()` call in each case of the action handler switch should be sufficient. One such hook is already present for one action: `lost_password`.
However, the hook `register` is already in use for the register link as is the format `{$action}_form`. So, I propose using `pre_{$action}_form`.
Patch incoming." jfarthing84
Tickets Needing Feedback 35428 Allow the suppression of errors if user already exists Login and Registration normal normal enhancement new reporter-feedback 2016-01-12T21:19:14Z 2019-06-04T20:21:01Z "The install instructions for s2members requires that we add a filter to suppress errors
it seems to be we should add the filter to allow this.
" pbearne
Tickets Awaiting Review 38432 Validate user creation and email change by token Login and Registration 4.9 normal normal Awaiting Review feature request new needs-unit-tests 2016-10-21T13:34:31Z 2018-01-17T11:57:10Z "When you register on a wordpress site or when you change your email, we can use a fake email (or error entry) and it create ghost profile. I see 36 bad profile in 2 month on a website.
If an email is send with a validate links (token), the profile or the email change can be executed.
It secure correct data.
Thanks
" lriaudel
Candidates for Closure 38750 Split wp_signups into wp_user_signups and wp_blog_signups Login and Registration 3.0 normal normal Awaiting Review feature request new needs-unit-tests 2016-11-10T19:07:00Z 2019-05-26T19:10:11Z "Right now, `wp_signups` (and the entire related API) does double-duty. It's 1 database table that's used for both users & blogs, but there are a few issues with this approach:
* Open sign-ups may or may not include ability to create sites
* There is no UI for managing sign-ups in WordPress core
* Sign-ups are different between singlesite & multi-site
* Plugins like BuddyPress do their best to include and/or work-around WordPress's core functionality, but end up writing a ton of additional code to manage this
* Other membership plugins are forced to roll their own approach every single time
* It's possible for multisite sign-up race conditions to exist, with users & sites created or activated from underneath each other (documented in `wpmu_activate_signup()`)
I'm adding the multisite focus to this issue, because all of the current code is only relevant to multisite, but I'd like to see single-site inherit whatever future approach we can come up with.
The core sign-ups code, stinks. Yet open registration is part of what makes WordPress & community/membership sites great. I think it would be great to take what we've learned from BuddyPress, WordPress.org, WordPress.com, and the bevy of Membership plugins, and make a great sign-up component/API for WordPress core." johnjamesjacoby
Tickets with Patches 17904 Multisite has more restrictions on user login character set Login and Registration 3.0 normal normal Future Release defect (bug) assigned needs-unit-tests 2011-06-27T11:09:12Z 2024-02-27T07:08:40Z "Multisite has more restrictions on the characters allowed in a user's login name compared to single site. This seems unnecessary and confusing. It was also the root of a recent bug in the importer, see [http://wordpress.org/support/topic/invalid-author-importing-single-wordpress-to-mulitsite-wordpress?replies=21#post-2186667 this forum thread] and the [http://plugins.trac.wordpress.org/changeset/401649 workaround].
I haven't worked up a patch yet since there seem to be a few locations where these restrictions are enforced and I don't know if I have found them all yet:
- wpmu_validate_user_signup() uses the regex `/[a-z0-9]+/`
- ms-default-filters.php adds `strtolower` to `sanitize_user`
Relevant: http://mu.trac.wordpress.org/changeset/1689 [12948]" duck_
Tickets with Patches 53348 No form to log in when visiting wp-login.php with a given query string SergeyBiryukov Login and Registration normal normal Future Release defect (bug) reviewing needs-unit-tests 2021-06-07T12:46:39Z 2022-04-08T06:05:11Z "When I visit the wp-login.php page with specific query strings, I get a blank page. I don't get a form to log in.
The query strings that cause the blank page are
- wp-login.php?action=checkemail
- wp-login.php?checkemail=foo
- wp-login.php?checkemail=bar
- wp-login.php?checkemail=baz
- Note though, wp-login.php?checkemail=confirm does give me a form" henry.wright
Unpatched Enhancements 51173 Add support for /.well-known/change-password Login and Registration normal normal Future Release feature request new needs-unit-tests 2020-08-28T10:48:40Z 2022-10-05T20:23:30Z "[Chrome Feature](https://www.chromestatus.com/feature/6256768407568384)
[Editors Draft](https://wicg.github.io/change-password-url/)
This already landed in Safari
Would it be possible to add support for **/.well-known/change-password** into WordPress?
This might redirect to **wp_login_url()**
" romainmrhenry
Tickets Awaiting Review 34507 New action `before_login_form` Login and Registration normal normal Awaiting Review enhancement new needs-docs 2015-10-30T07:33:57Z 2017-01-10T12:21:39Z "I can add new fields before default fields form. For example I can add social login :
https://food52.com/users/sign_in?next_url=%2F" sebastian.pisula
Candidates for Closure 55260 Update Codex Page to Include Password Visibility Button and Language Switcher Login and Registration 5.9.1 normal normal Awaiting Review enhancement new needs-docs 2022-02-25T16:43:24Z 2022-02-25T16:43:24Z "The Codex page, [https://codex.wordpress.org/Customizing_the_Login_Form /Customizing the Login Form], needs to be updated to include the [https://ibb.co/1dZ23W1 /login form password visibility button and the language switcher].
To assist, the following can be added to the updated page for the benefit of all WordPress users:
**Code to Disable the Password Visibility Button:**
{{{
function remove_wp_hide_pw_button() {
?>
see signup-activate-1.patch
If running `wp()` is required for a reason i don't see, a query could still be saved and it could be interested to use this to set a ""page"" title for the `
` tag.
> see signup-activate-2.patch
" imath
Slated for Next Release 58901 Flush 'user_activation_key' after successfully login rajinsharwar Login and Registration normal normal 6.6 enhancement assigned has-patch 2023-07-25T08:38:46Z 2024-02-12T09:18:32Z "Hi all,
Let's imagine the next steps:
1. User goes to `{site_url}/wp-login.php?action=lostpassword` for getting reset password link to its email.
2. Then go to email and open the reset password link with an expiration time (`DAY_IN_SECONDS` by default). It has been resolved [https://core.trac.wordpress.org/ticket/32429 a long time ago]. But then he remembers his old password and login using a second web browser with its username and old password. At the same time, the link to reset the password remains active in the first browser for a whole day.
3. If it's a public laptop anybody can use the reset password link and login with new credentials and make some hacker things.
**Suggestions:**
Flush the 'user_activation_key' after successful login:
wp-includes/user.php::line 113 before
{{{
do_action( 'wp_login', $user->user_login, $user );
}}}
Can be added this line:
{{{
global $wpdb;
$wpdb->update(
$wpdb->users,
array(
'user_activation_key' => '',
),
array( 'ID' => $user->ID )
);
}}}
Best Regards!" nsinelnikov
Slated for Next Release 60668 Missing translation in login_header() first parameter audrasjb* Login and Registration 2.1 normal minor 6.6 enhancement accepted has-patch 2024-03-01T10:22:14Z 2024-03-02T09:19:02Z "Hey there
Actuel code from WP (wp-login.php):
{{{#!php
apply_filters("",Array)#3(...)/htdocs/wp-
includes/plugin.php(476):WP_Hook->do_action(Array)#4
/(...)/htdocs/wp-includes/ms-functions.php(892):
do action('after_signup_us...,
'(...)', '(...)
'36db891bc11cbbc..., Array) #5
(...)/wheaty_v3/htdocs/wp-admin/user-new.php(226):
wpmu_signup_user('oliver2', 'technik@hansetr..
, Array) #6 {main} thrown in
/(...)/htdocs/wp-includes/ms-functions.php on line
1105
}}}
Presumably, the web site title needs to be escaped somewhere in the `apply_filters()` call.
" pekka.gaiser
Tickets Awaiting Review 46033 Please fix redirect in wp-login.php Login and Registration 5.0.3 normal normal Awaiting Review defect (bug) new has-patch 2019-01-18T10:45:43Z 2019-01-19T22:32:26Z "On line 619 in wp-login.php there is a redirect that does not take in account site_url setting which is braking experience in some cases. Therefore, the suggested fix is replace
{{{#!php
__('Your login Id'),
'placeholder_password' => __('Your password (case sensitive)'),
'username_required' => true,
'password_required' => true,
'username_css_class' => 'form_control,
'password_css_class' => 'form-control
'username_remove_size' => true,
'password_remove_size' => true
);
}}}
This will have the following benefits:
1) We can use HTML5 native client side validation
2) We can tell WordPress to use custom class name (if none is supplied, default would be used)
3) Placeholder will help removing labels and save space
4) Size attribute if set to `true` will not be used. This is useful if I don't need it at all.
Based on the above values the `';
if($args['echo']){
echo $form;
} else {
return $form;
}
}}}" subrataemfluence
Tickets Awaiting Review 23279 Add templates to style registration, signup, activation, login and password reset pages Login and Registration normal normal Awaiting Review enhancement new has-patch 2013-01-23T22:20:58Z 2017-02-22T09:54:26Z "As [https://irclogs.wordpress.org/chanlog.php?channel=wordpress-dev&day=2013-01-23&sort=asc#m539267 discussed in IRC], the ability to override the various user-related pages would be a great ability for themes to have. At the moment, it's pretty tedious to style these and there's very little control over the content of the page (some for good reason, others not so much).
Related: #1155, #3123, #22139" rmccue
Tickets Awaiting Review 34712 New filter: `reset_password_url` Login and Registration normal normal Awaiting Review enhancement new has-patch 2015-11-17T11:46:06Z 2017-08-27T22:36:01Z For example if I want make custom reset password page. sebastian.pisula
Tickets Awaiting Review 36010 New password reset styling changes are confusing to casual users Login and Registration 4.4 normal major Awaiting Review enhancement new has-patch 2016-02-29T16:20:53Z 2020-02-08T14:04:34Z "I've noticed an uptick in how many of my users have been confused by the password reset process recently. In talking a few of them through the process, I realized that there are two spots where they are unsure of what to do:
* On the password reset screen, the ""New password"" input doesn't look like the other inputs they've encountered, like at wp-login.php.
* Once they click ""Reset password,"" they're expecting to receive an email containing the new password (and aren't realizing that the characters in the ""new password"" box are the new password). So, when they're redirected to a standard login screen, they're doubtful.
About the first issue, I'm attaching mockups of the reset password screen with less styling. It's less visually interesting to advanced users, but maybe less is more for less experienced users.
To help with the second issue, adding an instructional banner might help. For instance, if we were to redirect on submission of the ""reset password"" form to `wp-login/?newpass=true` or similar, then we could offer some guidance. See attached images.
Thanks for your consideration.
" dcavins
Tickets Awaiting Review 31682 reg_passmail message on login.php needs filter Login and Registration 4.1.1 normal normal Awaiting Review enhancement new has-patch 2015-03-18T13:22:43Z 2017-03-01T00:30:22Z "reg passwords is hardcoded to the login.php:
{{{
}}}
So it appears even if you do some other ways of delivering passwords. E.g. i want to first check the registrating person and then send them the password, not immediately, so i need to change this message that would reflect this, and the only option now is to filter global gettext, what is not optimal.
Proposed solution - replace this row with
{{{
}}}
" thomask
Tickets Awaiting Review 40768 site.com/login should not redirect to login page when user is already logged in Login and Registration normal normal Awaiting Review enhancement new has-patch 2017-05-15T13:53:08Z 2023-08-18T11:01:29Z "When I am already logged in I should not be redirected to Login page if I type in `mysite.com/login`. Rather WordPress should be able to decide which page I should be on in this situation.
Being redirected to Login page even when I am already logged in must be treated as a bug. The reason is I am being able to login as a different user by going to login page directly when I am already logged in!
For example if I am already logged in as admin and type in `mysite.com/login` I should directly be taken to `wp-admin`. Same decision could be taken for different user privileges like if I am logged in as a subscriber or as a participant then I might land on site's home page.
Inspired from #40762 I have modified the decider so that WordPress can take this decision itself and stop landing logged in users to login page." subrataemfluence
Tickets Needing Feedback 48222 """Show password"" button overlaps with the LastPass icon" Login and Registration 5.3 normal normal Future Release enhancement assigned has-patch 2019-10-05T14:29:48Z 2022-09-15T20:51:47Z "The new ""Show password"" button added to login screen in [46256] overlaps with the LastPass extension icon. Tested with Google Chrome 77 on Windows 10.
This only happens on Log In and Reset Password screens. The Edit User screen is OK, as the button there is separate from the input." SergeyBiryukov
Tickets with Patches 30227 Inaccurate wording when creating a user with a reserved email address Login and Registration 3.3.2 normal normal defect (bug) new has-patch 2014-11-01T06:16:43Z 2020-02-06T19:47:07Z "If you try to create a user on multisite using an email address that is tied to an unconfirmed user, you'll get this notice
That email address has already been used. Please check your inbox for an activation email. It will become available in a couple of days if you do nothing.
""Please check ''your'' inbox"" seems to imply that the logged in user should check their own inbox for an activation email. Not sure of the best way to reword that so it's clear without being overly wordy. Possibly something like
That email address is reserved pending activation. It will become available in a couple of days if left unconfirmed.
or
That email address is reserved. An activation email has been sent to that address. If left unconfirmed it will become available in a couple of days.
Also, ""couple of days"" could be any time less than 2 days, so perhaps a dynamic value could be used here giving a better approximatation of the time remaining till the unconfirmed address will be freed up.
''This is referenced in #20817''" trepmal
Tickets with Patches 13655 Login/Install/User Edit should stripslashes() $_POST data Login and Registration 3.0 normal normal defect (bug) new has-patch 2010-05-31T11:33:17Z 2019-06-04T20:02:12Z "Following on from #13654 All Login/Registration/Install/User Edit functionality should stripslash $_POST data.
At present, it seems that we do not stripslash at all.
For existing user passwords, we should migrate passwords to their non-stripslashed versions:
[5/31/10 6:34:11 AM] Mark Jaquith: We could migrate people.[[BR]]
[5/31/10 6:34:13 AM] Dion (dd32): Perhaps oughta just add proper stripslashing in 3.1, and add back-compat to change password from non-stripslashed to stripslashed.. similar to the md5->phpass implementation..[[BR]]
[5/31/10 6:35:13 AM] Mark Jaquith: Yep. If the PW doesn't match, addslashes() and compare again. If that matches, set the new PW hash. Right?[[BR]]
[5/31/10 6:35:19 AM] Dion (dd32): yep
" dd32
Tickets with Patches 43536 Network registration page sabernhardt* Login and Registration normal normal Future Release defect (bug) accepted has-patch 2018-03-13T10:23:17Z 2022-09-27T23:04:14Z "Hi,
The registration page for the WordPress Multisite version, has, inside its body, the class page-id-xxx where xxx is the id of the page_on_front.
This is in my opinion a bug, and makes impossible to customize this page via CSS because every rule will be also referred to the page_on_front.
Then it should be useful to have a custom css on the body of the network registration page, something like network-registration-page.
Thanks." SGr33n
Tickets with Patches 35736 Replace 'Lost Password' phrase with 'Reset Password' chriscct7* Login and Registration normal normal defect (bug) accepted has-patch 2016-02-05T02:04:28Z 2020-02-06T19:46:34Z "This is a simple terminology change with a huge impact on the end user.
Since v4.3, WordPress is no longer sends passwords via email. WordPress sends only password reset links. WordPress also notifies by e-mail when a password is changed.
Across WordPress core, the old ""'''Lost my password?'''"" phrase already replaced with the new ""'''Reset Password'''"" / ""'''Password Reset'''"" phrases. But in some places we still use the old ""'''Lost my password?'''"" phrase.
This ticket aim is to replace the remaining strings in the login page, and in email notifications.
=== Login Page ===
In the reset screen, the page title is ""'''Password Reset'''"".
But in the ""'''Login page'''"", the 3 action links under the form - '''Login''' / '''Register''' / '''Lost your password?'''
We should replace the old '''Lost your password?''' phrase with the new ""'''Reset Password'''"" action.
=== Mail notifications ===
When WordPress notifies by e-mail that the password is changed, we use the ""'''Password Lost and Changed for user...'''"" phrase.
Why not simplify this? ""'''Password Changed for user...'''""" ramiy
Tickets with Patches 35018 The authentication check modal dialog appears just once Login and Registration 4.4 normal normal defect (bug) new has-patch 2015-12-11T17:12:25Z 2019-06-04T20:19:17Z "Noticed while investigating on #34951. To reproduce:
1. edit a post
2. open a new tab, go in some other admin screen and log out
3. in the tab with the edit post screen, after a while the authentication modal dialog appears
4. login again using the modal dialog
5. repeat step 2
The authentication modal dialog won't appear again because, as far as I see, when it gets hidden the custom event that triggers the dialog gets removed. See `hide()` in `/wp-includes/js/wp-auth-check.js`
{{{
$(document).off( 'heartbeat-tick.wp-auth-check' );
}}}
Not sure why the event is removed." afercia
Tickets with Patches 20116 Welcome User Email in Multisite Can't Be Changed Login and Registration 3.3 normal normal defect (bug) new has-patch 2012-02-24T21:44:28Z 2019-06-04T20:03:14Z "Reproduced this on 3.3 and 3.4-aortic.
Go to /wp-admin/network/settings.php
Add 'New' to the sentance 'Welcome User' to make it 'Welcome New User'
Hit update.
Page refreshes, text does not change." Ipstenu
Tickets with Patches 36439 Wrong language when resetting password johnbillion Login and Registration normal normal Future Release defect (bug) reviewing has-patch 2016-04-07T09:29:24Z 2021-10-20T15:16:27Z "When using WPML (or other multilanguage plugin) along with multisite, the reset password email comes in wrong language, as the reset password form is sent to network_site_url() instead of site_url(). I think a proper way should be:
}}}
{{{
}}}
Look into same field between the two html outputs, you can see most of the p, label, and input tag has different values of the css ids and classes.
for example:
wp_login_form():
{{{}}}
wp-login.php:
{{{}}}
the ids are the same, but
wp_login_form():
{{{
}}}
wp-login.php:
{{{
}}}
the classes are different
Can you make the ids and classes same, so it will be easier for me to make the two login forms ( `wp_login_form()` and wp-login.php ) with consistent style?
" syshut
Candidates for Closure 41663 Hooks for the back to login link in the footer of wp-login.php Login and Registration 4.8.1 normal normal Awaiting Review feature request new dev-feedback 2017-08-17T18:58:25Z 2021-07-20T15:59:58Z "In the following pull request: [https://github.com/WordPress/WordPress/pull/306/files] I introduced 3 new filters to the login footer area. With these filters you can customize the back to login link to your needs.
" Fleuv
Candidates for Closure 38789 Multisite sign-up improvements (potential roadmap) Login and Registration 3.0 normal normal Awaiting Review feature request new dev-feedback 2016-11-14T20:06:03Z 2019-03-25T21:18:22Z "The `wp_signups` database table has a few things not going for it:
* No `_Query` class
* No `WP_Signup` object class
* No user interface for moderating them
* No query or object caching
* A `meta` database column vs. a `wp_signupmeta` database table
* `wp-signup.php` is a pretty gnarly file, as is `wp-activate.php`
A lack of support for this multisite feature means no one is very likely to use it. Most membership plugins (BuddyPress included) generally wrap around it, but also need to write a bunch of additional code to interface with what's here now.
I took a stab at this last week, and made this plugin for a proof-of-concept:
* https://wordpress.org/plugins/wp-user-signups
* https://github.com/stuttter/wp-user-signups
Pretty much all of the pieces are there, minus the meta-data table (which would not be very hard at all.)" johnjamesjacoby
Tickets Needing Feedback 14949 Login gives false assurance of having logged out rajinsharwar* Login and Registration normal normal Future Release defect (bug) accepted dev-feedback 2010-09-23T10:39:34Z 2023-09-27T19:35:30Z "If you visit `wp-login.php?loggedout=true` while logged in, WordPress falsely tells you that ""You are now logged out.""
This is a problem because it could lead you to think, e.g., that a public computer is no longer authenticated with access to your WP admin.
Patch redirects a still-authenticated user back to the admin from the login page if she requests the above page without actually having logged out." filosofo
Tickets Needing Feedback 36179 Password protected post with force_ssl_admin() and domain mapping not working Login and Registration 4.3.1 normal normal defect (bug) new dev-feedback 2016-03-09T13:48:42Z 2019-06-04T20:23:26Z "Hi,
I'm running a WordPress multisite with ""define(FORCE_SSL_ADMIN, true)"" and domain mapping.
Our network site is using ssl (where users login to administrate their site). But a domain mapped site is not using ssl, which is working fine.
So, I have a post that is password protected. When I'm on the mapped domain and submit the password protect form, I then get redirected to ""wp-login.php?action=postpass"" over https and get a security warning.
It should not redirect me to https when I'm on a non-ssl mapped domain.
Thanks" tcdeskwolf
Tickets Needing Feedback 16482 Visibility: password-protected breaks with redirected domains Login and Registration 3.0.4 normal normal defect (bug) new dev-feedback 2011-02-07T18:58:45Z 2019-06-04T20:02:37Z "Pre-requisite to reproduce: domain.com must redirect to www.domain.com (haven't tested with other subdomains than www, but I'm sure it would be the same).
1. password protect a page
2. visit domain.com/protected (which redirects to www.domain.com/protected)
3. enter password
4. something about the redirect OR the way the password is stored/checked is broken; you are redirected to the wp-admin (WordPress login) page.
Sanity check:
1. password protect a page
2. visit www.domain.com/protected (requiring no subdomain redirect)
3. enter password
4. successful log-in
" monkeyhouse
Tickets Needing Feedback 46748 authenticate filter hook does not behave as expected for priority values less than 20 SergeyBiryukov* Login and Registration 3.7 normal normal Future Release defect (bug) accepted dev-feedback 2019-04-01T12:33:38Z 2022-04-04T06:23:03Z "Returning null or a WP_Error object from functions bound to the [https://codex.wordpress.org/Plugin_API/Filter_Reference/authenticate authenticate] filter at priority values less than 20 does not prohibit a user from logging in.
Consider the following snippet:
{{{#!php
cookie === AUTH_COOKIE ) ) {
return true;
}
// User cookie
if ( defined( 'USER_COOKIE' ) && ( $this->cookie === USER_COOKIE ) ) {
return true;
}
// Logged-in cookie
if ( defined( 'LOGGED_IN_COOKIE' ) && ( $this->cookie === LOGGED_IN_COOKIE ) ) {
return true;
}
}}}
And to special case the test cookie, like:
{{{
// Generic 'wordpress' cookies (that are not test cookies)
if ( ( substr( $this->cookie, 0, 9 ) === 'wordpress' ) && ( $this->cookie !== 'wordpress_test_cookie' ) ) {
return true;
}
}}}
But without a known and trusted cookie prefix, it's still an unpredictable environment.
-----
I'd like to re-propose an 8 year old issue (#6413) to introduce a new default constant to define a cookie prefix. This could turn the above snippet into something at least slightly more sane, like:
{{{
// Generic 'wordpress' cookies (that are not test cookies)
if ( defined( 'COOKIEPREFIX' ) ) {
$len = strlen( COOKIEPREFIX );
if ( substr( $this->cookie, 0, $len ) === COOKIEPREFIX ) && ( false !== strpos( $this->cookie, 'test_cookie', $len ) ) {
return true;
}
}
}}}
A `COOKIEPREFIX` constant would also allow plugins an easy way to drop themselves inside of WordPress's cookie namespace, which will help them play more nicely in environments where WordPress is not the only application within the domain." johnjamesjacoby
Candidates for Closure 35817 Force users to set strong passwords Login and Registration normal normal Awaiting Review enhancement new close 2016-02-12T16:31:38Z 2024-02-08T15:55:49Z "WordPress 4.3 added [https://github.com/dropbox/zxcvbn zxcvbn] for better password strength testing.
The UI was also modified to push users to set strong passwords in various ways.
* When setting a password, a strong one is generated for the user.
* A user must check off an ""Are You Sure?"" checkbox to set a weak password.
This is great. However, an ""Are You Sure"" checkbox is what stands between an easily hackable WordPress site and an exponentially stronger WordPress site.
I would like to force users to set strong passwords in the UI. " ericlewis
Tickets with Patches 36098 "Install: ""Repeat Password"" is not required when browser js is disabled" Login and Registration normal normal defect (bug) new close 2016-03-05T00:57:39Z 2020-02-16T21:35:57Z "Recreate:
1. Turn off browser JS.
2. Install WordPress.
3. Go to step 2.
The ""'''Repeat Password'''"" field is marked as '''required'''. It's not.
----
Recreate this step by step:
Leave all fields empty and press the install button.
You will see an error saying: `Please provide a valid username.`
Enter invalid username (use spaces).
You will see an error saying: `The username you provided has invalid characters.`
Enter valid username.
You will see an error saying: `You must provide an email address.`
Enter some text (not an email).
You will see this error message: `Sorry, that isn’t a valid email address. Email addresses look like username@example.com.`
If you provide a valid email, it will install WordPress. ''' Password is not required! '''" ramiy
Slated for Next Release 60062 Add required attribute to username and password field in wp_login_form function. rcreators Login and Registration 3.0 normal normal 6.6 defect (bug) assigned 2023-12-13T16:56:11Z 2024-03-12T15:39:03Z "Add required attribute to username and password field in wp_login_form function.
" alesflex
Slated for Next Release 60726 The WordPress core password reset needs to pre-populate the username to meet WCAG 2.2 joedolson* Login and Registration normal normal 6.6 defect (bug) accepted 2024-03-07T17:09:25Z 2024-03-07T19:33:35Z "According to new WCAG 2.2 success criterion for [https://www.w3.org/TR/WCAG22/#dfn-processes 3.3.7 redundant entry].
The criterion establishes that information previously entered by or provided to the user that is required to be entered again the same process is either:
* auto-populated, or
* available for the user to select
There are 3 exceptions:
* re-entering the information is essential,
* the information is required to ensure the security of the content, or
* previously entered information is no longer valid.
Once the user has performed the process of requesting a new password, the redirected form should have the username filled-in to pass. As of now, this is the form that the user is redirected to:
" estelaris
Tickets Awaiting Review 55335 $user_login double escaped with incorrect/empty password in wp-login.php Login and Registration normal normal Awaiting Review defect (bug) new 2022-03-08T03:56:54Z 2023-10-11T20:35:15Z "First:
{{{
if ( isset( $_POST['log'] ) ) {
$user_login = ( 'incorrect_password' === $errors->get_error_code() || 'empty_password' === $errors->get_error_code() ) ? esc_attr( wp_unslash( $_POST['log'] ) ) : '';
}
}}}
Then:
{{{
class=""input"" value="""" size=""20"" autocapitalize=""off"" />
}}}
Fix is to late escape only, and remove the top one." johnjamesjacoby
Tickets Awaiting Review 42610 Admin created account password reset process not reverse proxy friendly Login and Registration 4.9 normal normal Awaiting Review defect (bug) new 2017-11-17T21:08:41Z 2017-11-17T21:08:41Z "WordPress newbie, so feel free to point me to a better resolution. Couldn't find anything quite like this.
Have WP running mostly correctly behind a reverse proxy. So no one ever directly touches blog..com (the WP site), instead they access it through www..com/blog
If I create user accounts in the admin, it sends initial password reset links to the new accounts, which have a format like www..com/blog/wp-login.php?action=rp&key=&login=
In wp-login.php, I see the case that catches the rp action, and it does something with the key and user parameters, then strips them off and redirects again to wp-login as follows:
{{{#!php
wp_safe_redirect( remove_query_arg( array( 'key', 'login' ) ) );
}}}
I'm unclear on why this line doesn't incorporate site_url as do several other places in nearby code. The user ends up getting a redirect to /wp-login.php. That is, from the '''user's perspective''' (not seeing the reverse proxy activity), it looks like:
www..com/blog/wp-login.php?action=rp&key=&login=
redirects to
www..com/wp-login.php?action=rp
which is a 404
From the '''WP server's''' perspective, it told
blog..com/wp-login.php?action=rp&key=&login=
to redirect to
/wp-login.php?action=rp
which would have been fine if there were no reverse proxy involved.
This is not the desired behavior in my case, and I would think it would be safe to redirect to
/wp-login.php?
I can work around it in the main site's rewrite rules by forcing /wp-login to /blog/wp-login, but that seems as if it shouldn't be necessary.
Thanks for your consideration." normjhansen
Tickets Awaiting Review 51008 Issue with multisite new user registration Login and Registration 5.5 normal critical Awaiting Review defect (bug) new 2020-08-14T18:51:00Z 2020-08-14T19:01:50Z "I replicated this issue with a brand new install.
I am using multisite setup. I updated to WP 5.5 and noticed it no longer allows you to register for the individual site. In this example(testsite1 is the sub-site), When a user clicks register -> test.com/testsite1/wp-login.php?action=register It'll redirect the user to the main site -> test.com/wp-signup.php
When you sign up using that page, the user is not connected to any site within the network. However, the user does appear in wp-admin/network/users.php" onehare
Tickets Awaiting Review 60801 New sessions are created when user authenticates but there already are active sessions Login and Registration 6.4.3 normal normal Awaiting Review defect (bug) new 2024-03-18T18:28:41Z 2024-03-19T11:49:09Z "**The problem:** When a user logs in to WordPress a new session is created. If the user opens a new browser tab and navigates to website/wp-admin, the user does not need to authenticate because of the session cookies are saved in the browser, which is the expected behaviour. The same happens even when the user closes the browser completely and reopens it within the duration of that session.
However, if the user navigates to the URL *website/wp-login.php* on the website they are already logged in, the user is presented with a login page, and upon authenticating WordPress creates a new session and new cookies etc, instead of ""retrieving"" the existing logged-in session.
**How to reproduce:**
1. Log in to a WordPress website
2. Open a new browser tab on the same browser (you can close the previous one)
3. Navigate to the login page of the same website you are already logged in to: *website/wp-login.php*
4. Log in
At this point there are two different sessions for the same user in the database and in the browser the user has multiple sets of cookies for the different sessions.
**The issues this causes:**
1. Excessive amount of unnecessary session data in the database. We've seen some large websites with tens of thousands of session entries in the database.
2. Site admins who try to control / limit / manage the number of simultaneous user sessions with third party plugins end up having a lot of problems, such as locking out legit users etc
**Possible solution?:** There are a few possible solutions, however, the easiest one we can think of is to check for session cookies in the users' browsers whenever they access the *wp-login.php*, and if there are, retrieve that session." robert681
Tickets Awaiting Review 38769 Possible password reset loop Login and Registration normal normal Awaiting Review defect (bug) new 2016-11-12T13:11:48Z 2019-03-25T21:41:17Z "
== Bug summary ==
After registering (wp-login.php?action=register) you get straight to the '''login screen''' with a small notice to check your email (wp-login.php?checkemail=registered). But logging-in is not even possible because users have to set their password via a link provided in their email in the first place. '''If users nevertheless try to login they get a misleading error message that could lead to an endless loop of password reset and the user will not be able to register.'''
'''Bug 1:'''
There should be no login form where a user cannot log-in.
(attachment 1)
'''Bug 2:'''
There should be the message that the user has to set the password first.
(attachment 2)
'''While these things seems to be tiny the results are severe.'''
== Bug description ==
If users register they see after submitting the register form the login form with the message ""Registration complete. Please check your email."" on top. They often overlook this message and try to log-in even if they didn't set a password yet.
This leads to situations where users are not able to register:
1. When users try to log-in directly after registration they get the message that the password is wrong. (see attachment)
2. Because of the misstated error message they go to the ""Lost your password?"" form and try to get a new password.
3. They now check their email for the first time and open the email from the registering (!) and not the ""lost password"" email.
4. They click on the link for setting the password in the register email.
5. This link is invalid because of step 2.
6. They then try again to get a new password.
7. They go back to their email account and open the email from step 2 (!) and open this link. Because of step 6 the link is again invalid.
8. They try to get a new password.
9. And so on.
Having the impression to be trapped in an endless loop they often think that the website is full of bugs, are not interested to register anymore or contact the support for removing bugs.
'''I could provide dozen if not even hundreds of cases where this happened to my website.'''
== How to reproduce the bugs?==
1. Try to register.
2. Try to log-in even without a password (put your usual password in it).
3. Set you password back after the error message.
4. Go to your email account and open the register email. Click on the link.
5. You get the message that the link is invalid. Set you password back.
6. Open the email from step 3 and so on.
== tl;dr ==
After registration you see the login form even if you don't set a password yet. If you try to log-in (even if you don't set a password yet) you get a misleading error message that could trap you in an endless password reset process. Users than give up to register or contact support. It is not just theory. Every day, I lose angry customers or have to support them. Please have a look to the attachments." yetAnotherDaniel
Tickets Awaiting Review 42481 TEST_COOKIE and LOGGED_IN_COOKIE secure flag create issues on non-secure login Login and Registration 4.9 low normal Awaiting Review defect (bug) new 2017-11-09T01:30:29Z 2019-04-29T08:24:10Z "Once a user has accessed the login form over https (possible without a valid ssl license, ignoring the browser warning) the WordPress TEST_COOKIE will have the secure flag set https://core.trac.wordpress.org/browser/trunk/src/wp-login.php#L433
When that user goes back to login over http, this will no longer be possible. The test cookie will be ignored by the browser because of the secure flag.
Without the test cookie, all login attempts will be redirected back to the login form with a warning about cookies not being set by the browser. Most users will not know why this happens and will no longer be able to log in.
The user will have to go back to https, open the developer toolbar, delete the cookie and then back to http. Only then the test cookie will be set again, this time without the secure flag.
A work-around to prevent users from being locked out like this, is to make the test cookie name ""http/s aware"" with something like this in wp-config.php:
{{{
$secure = ( isset($_SERVER['HTTPS']) && 'on' == $_SERVER['HTTPS'] ) ? '_sec' : '';
define( 'TEST_COOKIE', 'wordpress' . $secure . '_test_cookie' );
}}}
(using wordpress_sec for secure cookie similar to the auth cookie)
But... the real question is:
'''Why does the test cookie need the secure flag at all?'''
There is no sensitive information passed and it's only there to (as the name suggests) test for cookie unaware or blocking browsers. At least as far as I can tell, there would be no possible problem with simply removing this cookies secure flag. This will not affect any sensitive login/session cookies secure flags.
Or am I mistaken? Are there use cases where the browser can be set to accept cookies over https while blocking them over http?
" RavanH
Tickets Awaiting Review 49633 Trim cookie paths Login and Registration 5.3.2 normal normal Awaiting Review defect (bug) new 2020-03-12T16:00:09Z 2020-03-12T16:00:09Z " I had just migrated a WP website that was very old. I encountered an issue that took several hours to debug.
The site was on PHP 5.6 and I updated everything to use PHP 7.3. At PHP 5.6 this was not an issue, but was at PHP 7.3.
The site seemed to be loading fine. No errors in the PHP error logs. However, I was not able to login to the WP Admin. After I defined error logging true. I get this:
[[Image(https://kevinbrent.com/images/1.png)]]
After several hours of debugging I found this:
[[Image(https://kevinbrent.com/images/2.png)]]
I was able to fix this in the DB. But, feel that WP could simply trim
spaces from cookie paths since they are not allowed by PHP.
[[Image(https://kevinbrent.com/images/3.png)]]
There are 3 constants that require this attention.
{{{
COOKIEPATH
}}}
{{{
SITECOOKIEPATH
}}}
{{{
PLUGINS_COOKIE_PATH
}}}
" Kevin Brent
Tickets Awaiting Review 59373 TypeError: str_contains() argument must be of type string, array given in wp-login.php Login and Registration 6.3.1 normal normal Awaiting Review defect (bug) new 2023-09-16T23:06:41Z 2023-10-05T01:24:43Z "This seems to affect PHP 8.0 and higher.
Downstream report at https://github.com/jquery/infrastructure-puppet/issues/34
> Seems to be an upstream issue where a `$_GET` or `$_REQUEST` key is checked for existence but not for type, thus prone to misuse when crafting query parameters in the array-form that PHP supports.
Easily reproduced, for example, at:
* HTTP 500 https://timotijhof.net/wp-login.php?redirect_to[x]=y
* HTTP 500 https://jquery.com/wp-login.php?redirect_to[x]=y
" TimoTijhof
Tickets Awaiting Review 47088 Visting wp-login.php whilst logged in logs you out Login and Registration 3.0 normal normal Awaiting Review defect (bug) reopened 2019-05-01T08:00:01Z 2023-10-10T00:28:18Z "I leave multiple, regularly-used WP admin tabs open in a browser window. The login sessions time out, as expected, resulting in tabs with URLs like https://example.com/wp-login.php?redirect_to=https%3A%2F%2Fexample.com%2Fwp-admin%2Fadmin.php%3Fpage%3Dfoo-bar&reauth=1
If log in on such a tab to do something, then switch to another tab that also has that type of auto-logged-out URL, I am immediately logged out of the site.
I would expect WP to realise that I am logged in and simply honour the redirect already in the URL, or at least provide the choice of logging out or going to the redirect page/dashboard." lev0
Tickets Awaiting Review 60748 auth_redirect() login check doesn't exist or doesn't work Login and Registration normal normal Awaiting Review defect (bug) new 2024-03-11T13:11:38Z 2024-03-11T13:33:04Z "The `auth_redirect()` documentation states:
""Checks if a user is logged in, if not it redirects them to the login page.""
[https://developer.wordpress.org/reference/functions/auth_redirect/]
However, unless a call to `auth_redirect()` is wrapped inside a `is_user_logged_in()` check, then it always sends people to the login page (even if a user is already logged in).
I don't know if the documentation is incorrect or if there is a bug in the code.
To reproduce, all you need to do is something like this:
{{{#!php
create a custom role with some set of role -> assign same role in ec2 none plugin creator detects ec2 role they just keep asking for API access token of IAM.
thx
sayantan
" cadentic2018
Tickets Awaiting Review 40249 period as last character in username breaks activation link Login and Registration 4.7.3 normal normal Awaiting Review defect (bug) new 2017-03-24T10:38:43Z 2017-03-24T10:40:31Z "Many browsers and mail clients are converting text-URLs to clickable links.
If a user chooses an username with a period at the end, the activation link in the mail could be incorrect, because the mail client thinks, the period is a punctuation character.
See this (non-working) URL for an example:
https://www.domain.de/wp-login.php?action=rp&key=XXXXXX&user=ballspieler96.
The period at the end is part of the username but not part of the URL.
Fix:
Don't use the username as last parameter. Instead use a defined parameter, which won't have periods as value (i.e. 2action"" or ""key"")" ilikewordpress
Tickets Awaiting Review 44960 wp-login.php does not allow redirecting 'read' capability (Subscriber) to Dashboard instead of Profile upon login Login and Registration normal normal Awaiting Review defect (bug) new 2018-09-18T15:34:01Z 2018-09-18T15:34:01Z "Re: https://github.com/WordPress/WordPress/blob/4.9.8/wp-login.php#L965
I understand checking if $redirect_to is empty, but why specifically intercept users without 'edit_posts' capability that do have 'read' capability?
Here's some code that I am using to override this: https://gist.github.com/cliffordp/35d74c3bceec9fbd10547b5d1ba988e5
I'm hoping this snippet will not be needed in the future.
Thank you." cliffpaulick
Tickets Awaiting Review 40595 wp_authenticate_username_password() should respect WP_Error object generated by higher priorities Login and Registration 4.7.4 normal normal Awaiting Review defect (bug) new 2017-04-28T13:46:54Z 2017-04-28T13:59:39Z "If I've read through #19714 but believe this issue should be reopened. This issue affects anyone who needs to alter the normal authentication process by hooking into the authenticate filter at a high priority. Functions in the process flow should respect a WP_Error object if that is what it is handed, including wp_authenticate_username_password().
'''Expected Behavior'''
function hooks ''authenticate'' filter, assigns priority 10. Function invalidates authentication attempt and returns a WP_Error object. Authentication should fail and error message displayed to user.
'''Current Behavior'''
Function hooks ''authenticate'' filter, assigns priority 10. Function invalidates authentication attempt and returns a WP_Error object. wp_authenticate_username_password() ignores WP_Error object, attempts authentication and returns its own error message, or goes ahead and authenticates the user.
Functions could assign a priority less than 20 (i.e. 30), but then when will be required to decipher error codes and/or the user object to then determine if authentication should continue, '''after''' an authentication attempt has already been processed by wp_authenticate_username_password(), even if no authentication should have been attempted. In additon, if wp_authenticate_username_password() is not going to respect WP_Errors from higher priorities, why not assign it a priority of 1 and make it the very first item in the authentication process?
" gilzow
Tickets Awaiting Review 47170 wp_sensitive_page_meta breaks login on iPad devices Login and Registration 5.0 normal major Awaiting Review defect (bug) new 2019-05-07T16:28:57Z 2019-05-17T10:58:38Z "iPad Safari will throw a
{{{
Failed to set referrer policy: The value 'strict-origin-when-cross-origin' is not one of 'no-referrer', 'origin', 'no-referrer-when-downgrade', or 'unsafe-url'. Defaulting to 'no-referrer'.
}}}
on wp-login.php page because it does not understand strict-origin-when-cross-origin value for the referer policy.
This effectively breaks the login completely at least on nginx sites.
Present starting with 4.9.10 (5.0.0 if chronologically)." madhazelnut
Tickets Awaiting Review 54716 """Remember me"" label changed to ""Keep me logged in""" Login and Registration 2.0 normal trivial Awaiting Review enhancement new 2021-12-31T22:36:46Z 2022-02-20T22:29:05Z "I think the label ""Remember me"" to be misleading.
The default ""Remember Me"" checkbox behaviour is:
>If checked your browser keeps you logged in for 14 days.
>If unchecked you're logged out when you quit the browser, or after two days.
The checkbox function is not to remember the user identity, but to keep the authentication valid.
The task of remembering the user credentials is on the browser.
I think that ""Keep me logged in"" would be clearer and more consistent with other services around the internet.
""Keep me logged in on this computer"" is even more accurate.
There are variation on the wording, like [Keep me|Stay][logged in|signed in].
Twenty years ago I would just have suggested to add a tooltip (title) with an explanation, but it has already been established in #24766 that title attributes are to be phased out.
Amazon uses a full blown popup to explain the function of the checkbox.
[[Image(amazon-signin.png)]]
Although a totally minor issue I would like to have a discussion about this.
" Cyberchicken
Tickets Awaiting Review 49328 Add filter/action to append link to the login form footer inside the #login container Login and Registration normal trivial Awaiting Review enhancement new 2020-01-30T09:40:26Z 2020-01-30T22:07:05Z "At the moment, when using login_footer action, you can add the HTML at the bottom of login page.
I think it can be useful to be able also to add some message or custom links to the #nav or #backtoblog area of the login form. At the moment, the only way is to use the hack described [here](https://wordpress.stackexchange.com/questions/99251/how-do-you-add-a-custom-link-to-the-wordpress-login-page) and it doesn't work for not English pages." oksanaromaniv
Tickets Awaiting Review 43080 Allow access to triggered WP_Error when using login_errors and login_messages filters Login and Registration 4.9.1 normal normal Awaiting Review enhancement new 2018-01-12T21:39:59Z 2020-10-13T03:28:56Z "Hi,
There are currently 2 filters login_errors et login_messages but everything is string. As a consequence this is translated. I would be nice to add $wp_error (WP_Error) in these filters to make it even more customizable.
" anonymized_10765487
Tickets Awaiting Review 44517 Allow specifying the WordPress username to be filled in on the login form via a URL parameter. Login and Registration normal normal Awaiting Review enhancement new 2018-07-05T03:36:04Z 2019-01-16T06:50:09Z "Hi All,
I have a usecase for WordPress that requires me to allow specifying the username that will be logged into for WordPress via a URL parameter.
Essentially, a WordPress plugin allows creating a new username, only if a valid email has been sent. As part of the authentication flow, I want to be able to specify what the username was on the URL so that the user can just click the link that is sent to them via email, requiring only that their password be entered.
I have provided a patch. Please let me know if there are any changes that should be made.
Thanks!" datatim
Tickets Awaiting Review 39929 "Improve ability to customize ""nav"" links below login form." Login and Registration 4.8 normal normal Awaiting Review enhancement new 2017-02-21T19:07:00Z 2017-02-21T19:11:52Z "In adding a Single Sign-On option to a site, I ran into trouble while trying to add a link to the login form. Flexibility could be introduced by adding an action inside each `p.nav` in `wp-login.php`, but there's already duplicated code. So, I've added a function that builds the output and allows plugins to add new links or change the existing links.
Thanks for considering my request." dcavins
Tickets Awaiting Review 38336 Login: Add new action hooks to the top of login type forms Login and Registration 4.6.1 normal normal Awaiting Review enhancement new 2016-10-17T20:11:14Z 2021-07-20T16:26:30Z "Currently there are action hooks that fire in the login forms after the fields have been loaded into the form. This allows new fields, new text, additional verification fields such as CAPTCHA, etc to be added after the username/email/password fields.
However, currently there is not an easy way to add new fields to the top of the forms before the username/email/password fields without building a custom form.
In my use case I require an Account/Membership number to be provided in addition to the email/username, which internally allows the same email address to be used with multiple accounts. The only place to add this new field without building a custom form is to add the field after the password field. The current field sequence on the form appears as email, password, account number. Since the account number field is more significant, it would be better to read the field sequence as: account number, email, password.
In wp-login.php the login forms have the following action hooks:
in form name=""loginform""
`do_action( 'login_form' );`
in form name=""lostpasswordform""
`do_action( 'lostpassword_form' );`
in form name=""registerform""
`do_action( 'register_form' );`
in form name=""resetpassform""
`do_action( 'resetpass_form', $user );`
I am requesting new additional action hooks to be created and placed at the top of each of the forms before any fields are defined.
For example, in `form name=""registerform""` a new action hook such as `do_action( 'login_form_top' )` to appear directly after the form html line as follows:
{{{