Make WordPress Core

Opened 13 years ago

Closed 11 years ago

#2039 closed defect (bug) (fixed)

Wordpress fails silently when cookies are disabled

Reported by: sjmurdoch Owned by: westi
Milestone: 2.3 Priority: normal
Severity: major Version: 2.0
Component: General Keywords: has-patch
Focuses: Cc:


If a user has disabled cookies then on logging in the user is returned to the login page without any error message being displayed.

Wordpress should preferably be able to work with cookies disabled, but at the very least should display an understandable error message when the user has done this.

Steps to reproduce:

  1. Disable accepting cookies in web browser
  2. Go to http://<wordpress>/wp-login.php
  3. Enter valid login username and password
  4. Click "Login >>"
  5. User is returned to wp-login.php without error message
  • Version tested: wordpress-2.0-RC1
  • PHP version: 4.1.2-7.woody5
  • Operating system: Debian GNU/Linux 3.0

Attachments (4)

2039.diff (1.6 KB) - added by wendel279 12 years ago.
JavaScript to notify user onLoad
2039b.diff (1.1 KB) - added by Nazgul 12 years ago.
login-test-cookie-r5735.patch (1.5 KB) - added by tellyworth 11 years ago.
2039.refreshed.diff (1.5 KB) - added by westi 11 years ago.
Refreshed patch

Download all attachments as: .zip

Change History (26)

#1 @sjmurdoch
13 years ago

  • Component changed from Administration to General
  • Severity changed from normal to major

#2 @sjmurdoch
13 years ago

  • Cc wptrac+Steven.Murdoch@… added

#3 @sjmurdoch
13 years ago

  • Cc sjmurdoch added; wptrac+Steven.Murdoch@… removed

12 years ago

JavaScript to notify user onLoad

#4 @wendel279
12 years ago

I figured a message informing the user that their cookies are disabled onLoad would work. What do you think?

#5 @markjaquith
12 years ago

Good idea, but the patch needs some serious work in terms of grammer and XHTML validity.

#6 @sjmurdoch
12 years ago

I am not sure if Javascript is the right way to go, since there is a good chance that people paranoid enough to turn off cookies will have turned off Javascript too.

The scheme I have used in the past was suggested in CGI Programming with Perl, and it doesn't rely on Javascript.

The login page checks for a cookie. If it is present, great, otherwise it sets a cookie then redirects to a cookie test page. If the cookie is set, it redirects back to the login page, otherwise it displays an error message. The book recommends that the redirection URL be an absolute path to avoid the webserver ignoring it.

#7 @Nazgul
12 years ago

  • Keywords dev-feedback added

Do we actually need to determine this programmatically or would a fixed footnote on the login page stating "requires cookies" be sufficient?

#8 @sjmurdoch
12 years ago


For usability reasons, yes I think this should be caught programatically. Otherwise there is an extra message to read for the users who have cookies enabled. For those who do not, a static footnote could be easily missed, whereas a big error message would be clear.

12 years ago

#9 @Nazgul
12 years ago

  • Milestone set to 2.1

First stab at a patch. Please shoot at it.

#10 @Nazgul
12 years ago

  • Owner changed from anonymous to Nazgul
  • Status changed from new to assigned

#11 @matt
12 years ago

  • Milestone changed from 2.1 to 2.2

#12 @foolswisdom
11 years ago

  • Milestone changed from 2.2 to 2.3

#13 @rob1n
11 years ago

  • Owner changed from Nazgul to rob1n
  • Status changed from assigned to new

#14 @rob1n
11 years ago

  • Keywords dev-feedback removed
  • Milestone changed from 2.3 to 2.4

#15 @rob1n
11 years ago

  • Milestone changed from 2.4 (future) to 2.3 (trunk)

#16 @rob1n
11 years ago

  • Status changed from new to assigned

#17 @tellyworth
11 years ago

login-test-cookie-r5735.patch takes a simpler server-side approach. Instead of a redirect, a test cookie is sent when the login form is displayed, and checked when the POST is processed.

#18 @foolswisdom
11 years ago

  • Keywords has-patch added

#19 @nbachiyski
11 years ago

I like the server-side approach more, but do we need to use as test content the password cookie? Isn't just a "test" enough?

11 years ago

Refreshed patch

#20 @westi
11 years ago

  • Owner changed from rob1n to westi
  • Status changed from assigned to new

I have updated the patch to address the concerns.

Test cookie is no-loger the password hash

I have also changed the error message to be more informative.

#21 @westi
11 years ago

Ok. I've slept on this and I think it should go in.

If people have issues with the error message then raise a new ticket to get it changed ;-)

#22 @westi
11 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [6009]) Inform the user when cookies are disabled and login fails. Fixed #2039 props tellyworth.

Note: See TracTickets for help on using tickets.