Make WordPress Core

Opened 13 years ago

Last modified 3 years ago

#14949 reopened defect (bug)

Login gives false assurance of having logged out

Reported by: filosofo's profile filosofo Owned by: filosofo's profile filosofo
Milestone: Future Release Priority: normal
Severity: normal Version: 3.1
Component: Login and Registration Keywords: has-patch needs-testing dev-feedback
Focuses: administration, multisite Cc:

Description

If you visit wp-login.php?loggedout=true while logged in, WordPress falsely tells you that "You are now logged out."

This is a problem because it could lead you to think, e.g., that a public computer is no longer authenticated with access to your WP admin.

Patch redirects a still-authenticated user back to the admin from the login page if she requests the above page without actually having logged out.

Attachments (7)

no-false-logout-message.14949.diff (524 bytes) - added by filosofo 13 years ago.
14949-current-user-can-not-login-before-logout.patch (679 bytes) - added by hakre 13 years ago.
Prevents a signon for a user that is already logged in.
14949-user-prior-filter.patch (496 bytes) - added by hakre 13 years ago.
Similar to filosofo's patch but passes current user to login_redirect filter.
14949-signon-internals.patch (808 bytes) - added by hakre 13 years ago.
Prevents to pass NULL values to filters
WordPress Current WP Login.png (28.4 KB) - added by lukecavanagh 6 years ago.
WP Login in current WP Version
14949.2.diff (637 bytes) - added by lukecavanagh 6 years ago.
Patch refresh
14949.3.diff (423 bytes) - added by donmhico 4 years ago.
Patch refresh.

Download all attachments as: .zip

Change History (43)

#1 @hakre
13 years ago

Hmm, my first reaction was to dislike the redirect. Then I wondered what happens if you visit wp-login.php while being logged in. You can login again *gg* (trunk).

I suggest that the requests behaves like a successfull login has been made (e.g. going to dashboard by default but running all filters and same logic so that plugins work as expected).

@hakre
13 years ago

Prevents a signon for a user that is already logged in.

@hakre
13 years ago

Similar to filosofo's patch but passes current user to login_redirect filter.

@hakre
13 years ago

Prevents to pass NULL values to filters

#2 @filosofo
13 years ago

  • Keywords dev-feedback added

#3 @scribu
13 years ago

This is actually a problem with how admin notices are passed around.

There was a ticket proposing an API for passing admin notices using transients I think, but I can't find it now.

#4 @filosofo
13 years ago

I agree that the notices need work. Here's my ticket about it: #11515

However, I think this particular issue has a simple fix. wp-admin/ pages redirect non-authenticated users to wp-login.php, so it seems reasonable to redirect authenticated users from wp-login.php to wp-admin/.

#5 @azizur
12 years ago

  • Cc azizur added

#6 follow-up: @nacin
12 years ago

  • Keywords needs-testing added; dev-feedback removed

no-false-logout-message.14949.diff looks and tests fine. Want some extra eyes on it before continuing.

I've noticed that when running multisite -- and this may be particular to my setup -- wp-login.php redirects to wp-admin already. I haven't dug into the code enough yet to ascertain why, which is partially why I'm not committing this just yet.

#7 @johnpbloch
12 years ago

Patch tests fine. I think hakre's patch 14949-user-prior-filter.patch makes more sense. It's the same code, but ensures that we have the correct user info going to the redirect filter.

Didn't look into the multisite thing, though.

#8 @filosofo
12 years ago

Well, my thought in having it after $user is passed to the filter is that it gives you access to the error object, whereas you can access the current user globally and don't need to be concerned about whether it gets passed to the filter.

In other words, maybe you want to adjust the redirect according to the type of error that has occurred. 14949-user-prior-filter.patch doesn't let you do that.

#9 @ryan
12 years ago

  • Keywords 3.2-early added
  • Milestone changed from 3.1 to Future Release

#10 @ryan
12 years ago

IIRC, the reason it shows when logged in is so that you can upgrade from non-SSL to SSL cookies, or vice-versa. I think any patch would have to accommodate allowing logged in users to log in again if their cookies do not match the is_ssl() state when visiting the login page.

#11 @Ipstenu
11 years ago

This is still the case in 3.3

#12 @MikeHansenMe
11 years ago

This is still the case in 3.5-alpha-21751. But is there any way a user could even land on the login page with the logout set without manually putting it into the browser?

#13 @MikeHansenMe
11 years ago

  • Cc mdhansen@… added

#14 in reply to: ↑ 6 @Ipstenu
10 years ago

In 3.6 (and trunk) if I go to domain.com/wp-login.php on single or Multisite it provides the login form.

Replying to nacin:

I've noticed that when running multisite -- and this may be particular to my setup -- wp-login.php redirects to wp-admin already. I haven't dug into the code enough yet to ascertain why, which is partially why I'm not committing this just yet.

This part I can't reproduce.

#15 @jeremyfelt
9 years ago

  • Component changed from Administration to Login and Registration
  • Focuses administration multisite added

#16 @helen
9 years ago

#27212 was marked as a duplicate.

#17 @nacin
9 years ago

Worth sharing: [bbpress5305].

#18 @SergeyBiryukov
9 years ago

#27331 was marked as a duplicate.

#19 @SergeyBiryukov
8 years ago

#32054 was marked as a duplicate.

#20 @swissspidy
6 years ago

#36131 was marked as a duplicate.

#21 @eolonade
6 years ago

Please has this issue been fixed?

I have a website that uses Peter's Login Redirect where users are expected to get redirected to a custom page after logging in, but if an already logged-in user tries to login again, he gets redirected to the /wp-admin page.

Please what should I do?

Thanks

#22 @lukecavanagh
6 years ago

@eolonade

This is still an issue, checked on a local dev version of WP 4.7.3.

@lukecavanagh
6 years ago

WP Login in current WP Version

#23 @eolonade
6 years ago

Thanks @lukecavanagh ... I also found out that...

Seeing that this has been the case for years, is there any chance that this might change anytime soon?

#24 @lukecavanagh
6 years ago

This patch applies cleanly in WP 4.7.3. So if an end-user hits wp-login.php?loggedout=true if a user is already logged in, then it will redirect to wp-admin.

@lukecavanagh
6 years ago

Patch refresh

#25 @swissspidy
6 years ago

#41533 was marked as a duplicate.

This ticket was mentioned in Slack in #core by swissspidy. View the logs.


5 years ago

#27 @swissspidy
4 years ago

#47088 was marked as a duplicate.

@donmhico
4 years ago

Patch refresh.

#28 @donmhico
4 years ago

Issue still persist in 5.3 and the patch still resolves the problem. I attached a refreshed patch above. Is there any reason / concern why we aren't merging this to trunk?

Last edited 4 years ago by donmhico (previous) (diff)

#29 @SergeyBiryukov
4 years ago

#48832 was marked as a duplicate.

#30 @henry.wright
3 years ago

If I am able to visit the wp-login.php page and see a form asking for a username and password, as a user, I would assume I am not authenticated.

Making the text "You are now logged out" not display doesn't go far enough in my opinion.

#31 @valentinbora
3 years ago

Patch 14949.3.diff confirmed. When visiting /wp-login.php while already logged in, I now get redirected to /wp-admin

@desrosj @SergeyBiryukov please consider reviewing and maybe adding to the next release?

#32 @johnbillion
3 years ago

  • Keywords 3.2-early removed
  • Milestone changed from Future Release to 5.4

This needs testing with plugins which make changes to the login screen, or add extra functionality to it such as two-factor authentication. Best to check in case there's any unexpected problems.

#33 @ashwin.parthasarathi
3 years ago

  • Resolution set to worksforme
  • Status changed from new to closed

Patch 14949.3.diff confirmed working with Simple Login Captcha in WP 5.4-beta1-47286.

Redirected /wp-login.php and /wp-login.php?loggedout=true to /wp-admin if the user is already logged-in.

#34 @ashwin.parthasarathi
3 years ago

  • Resolution worksforme deleted
  • Status changed from closed to reopened

Leaving it open for others to test.

#35 @bookdude13
3 years ago

  • Keywords dev-feedback added

Confirmed working with Two Factor using email, Authy/QR and OTP codes. Using WP trunk as of commit 1911d0db (14 Feb 2020). Redirected /wp-login.php and /wp-login.php?loggedout=true to /wp-admin if the user is already logged-in, then able to logout and login again without any noticeable changes.

@johnbillion do you have other plugins in mind that should be tested, or are these two sufficient? I can test more in the next couple days, but I'm not familiar with the available login-changing plugins.

#36 @audrasjb
3 years ago

  • Milestone changed from 5.4 to Future Release

Hi,

With 5.4 Beta 3 approaching and the Beta period reserved for bugs introduced during the cycle, this is being moved to Future Release. If any maintainer or committer feels this should be included or wishes to assume ownership during a specific cycle, feel free to update the milestone accordingly.

Note: See TracTickets for help on using tickets.