Wordpress fails silently when cookies are disabled

[sjmurdoch]

If a user has disabled cookies then on logging in the user is
returned to the login page without any error message being displayed.

Wordpress should preferably be able to work with cookies disabled,
but at the very least should display an understandable error message
when the user has done this.

Steps to reproduce:

1. Disable accepting cookies in web browser
2. Go to ​http://<wordpress>/wp-login.php
3. Enter valid login username and password
4. Click "Login >>"
5. User is returned to wp-login.php without error message

• Version tested: wordpress-2.0-RC1
• PHP version: 4.1.2-7.woody5
• Operating system: Debian GNU/Linux 3.0

[wendel279]

JavaScript to notify user onLoad

[wendel279]

I figured a message informing the user that their cookies are disabled onLoad would work. What do you think?

[markjaquith]

Good idea, but the patch needs some serious work in terms of grammer and XHTML validity.

[sjmurdoch]

I am not sure if Javascript is the right way to go, since there is a good chance that people paranoid enough to turn off cookies will have turned off Javascript too.

The scheme I have used in the past was suggested in ​CGI Programming with Perl, and it doesn't rely on Javascript.

The login page checks for a cookie. If it is present, great, otherwise it sets a cookie then redirects to a cookie test page. If the cookie is set, it redirects back to the login page, otherwise it displays an error message. The book recommends that the redirection URL be an absolute path to avoid the webserver ignoring it.

[Nazgul]

Do we actually need to determine this programmatically or would a fixed footnote on the login page stating "requires cookies" be sufficient?

[sjmurdoch]

@Nazgul

For usability reasons, yes I think this should be caught programatically. Otherwise there is an extra message to read for the users who have cookies enabled. For those who do not, a static footnote could be easily missed, whereas a big error message would be clear.

[Nazgul]

First stab at a patch. Please shoot at it.

[tellyworth]

login-test-cookie-r5735.patch takes a simpler server-side approach. Instead of a redirect, a test cookie is sent when the login form is displayed, and checked when the POST is processed.

[nbachiyski]

I like the server-side approach more, but do we need to use as test content the password cookie? Isn't just a "test" enough?

[westi]

Refreshed patch

[westi]

I have updated the patch to address the concerns.

Test cookie is no-loger the password hash

I have also changed the error message to be more informative.

[westi]

Ok. I've slept on this and I think it should go in.

If people have issues with the error message then raise a new ticket to get it changed ;-)

[westi]

(In [6009]) Inform the user when cookies are disabled and login fails. Fixed #2039 props tellyworth.