WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 8 months ago

Last modified 8 months ago

#18824 closed defect (bug) (wontfix)

Password protected pages don't work if site address is different from wordpress address

Reported by: 3singes Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.2.1
Component: General Keywords: has-patch
Focuses: Cc:

Description

Hi,

On a 3.2.1 wordpress site, we notices that password protected pages didn't work.

Site address is in another domain (x.com) than wordpress address (y.com).

If we set the same domain for both of them, protected pages work again.

I think I understood what was going on:

  1. the browser gets the form for the password via siteurl.
  2. however the forms posts data to wordpress address (wp-pass.php), and the browser gets the cookie within this domain (and not siteurl domain)
  3. the browser is redirected to siteurl, but the cookie doesn't work (domain mismatch).

I corrected wp-pass.php, by replacing get_option('siteurl') by get_option('home'), and it worked.

Attachments (2)

patch.txt (844 bytes) - added by 3singes 3 years ago.
Patch
18824.diff (513 bytes) - added by nacin 2 years ago.

Download all attachments as: .zip

Change History (12)

3singes3 years ago

Patch

comment:1 3singes2 years ago

Hi!

Will a developer review this bug ?

Thanks in advance !

comment:2 SergeyBiryukov2 years ago

  • Keywords dev-feedback added

comment:3 nacin2 years ago

  • Keywords has-patch dev-feedback removed

siteurl indicates where the files are. Example: www.example.com is home, example.com/wordpress is siteurl. So this patch won't work.

I think the fix might just be to use COOKIE_DOMAIN in setcookie(), which should be correct.

nacin2 years ago

comment:4 nacin2 years ago

  • Keywords has-patch added

Try this out.

comment:5 follow-up: 3singes2 years ago

Hi Nacin, thanks for your answer. Unfortunately your patch doesn't work, I just tested it.

As I explained in my description, siteurl and home aren't in the same domain on my installation. In WP 3.2.1, wp-pass.php (the file you modified) is accessed via http://{siteurl}/wp-pass.php. However the website is accessed via http://{home}/ (and that's COOKIE_DOMAIN value too). That's why setcookie() doesn't work: you can't call it with a COOKIE_DOMAIN different from the domain the script is accessed from (security reason, I think).

My patch modified the URL wp-pass.php was accessed from. I used home, in order to have the same domain that COOKIE_DOMAIN for the script, and allow setcookie() to work correctly.

comment:6 follow-up: nacin2 years ago

I don't think having different domains for siteurl and home is proper, or supported. What's your use case?

comment:7 in reply to: ↑ 5 SergeyBiryukov2 years ago

Replying to 3singes:

That's why setcookie() doesn't work: you can't call it with a COOKIE_DOMAIN different from the domain the script is accessed from (security reason, I think).

Note that you can define COOKIE_DOMAIN in wp-config.php (not sure about security implications though).

comment:8 in reply to: ↑ 6 3singes2 years ago

Replying to nacin:

I don't think having different domains for siteurl and home is proper, or supported. What's your use case?

I want the public site domain to be different from the wp-admin one. I have a lot of WP blogs, with different domain names, accessed by HTTP, but I want the admin part to be accessed by HTTPS. In order to use only one SSL certificate (and only one IP address, as my webserver doesn't support SNI yet), I set siteurl to "http://my-admin-domain/myblog/" (admin part is then https://my-admin-domain/myblog/wp-admin/) and home to "http://my-blog-domain" (public part is OK then).

Of course, when my webserver will be able to use SNI, all these problems should vanished and I will use only one IP address, many certificates, and hasta la vista!

comment:9 c3mdigital8 months ago

  • Resolution set to wontfix
  • Status changed from new to closed

wp-pass.php was gracefully laid to rest in [19925] r.i.p.. Now we post to site_url( 'wp-login.php?action=postpass', 'login_post' )

Do your normal auth cookies work using different domains? This is a very edge case and if this still doesn't work you can add a conditional site_url filter:

    if ( $post->post_password != '' )
        add_filter( 'site_url', function() {
             return get_home_url();
        });

comment:10 SergeyBiryukov8 months ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.