WordPress.org

Make WordPress Core

Opened 12 years ago

Closed 10 years ago

#2039 closed defect (bug) (fixed)

Wordpress fails silently when cookies are disabled

Reported by: sjmurdoch Owned by: westi
Milestone: 2.3 Priority: normal
Severity: major Version: 2.0
Component: General Keywords: has-patch
Focuses: Cc:

Description

If a user has disabled cookies then on logging in the user is
returned to the login page without any error message being displayed.

Wordpress should preferably be able to work with cookies disabled,
but at the very least should display an understandable error message
when the user has done this.

Steps to reproduce:

  1. Disable accepting cookies in web browser
  2. Go to http://<wordpress>/wp-login.php
  3. Enter valid login username and password
  4. Click "Login >>"
  5. User is returned to wp-login.php without error message
  • Version tested: wordpress-2.0-RC1
  • PHP version: 4.1.2-7.woody5
  • Operating system: Debian GNU/Linux 3.0

Attachments (4)

2039.diff (1.6 KB) - added by wendel279 12 years ago.
JavaScript to notify user onLoad
2039b.diff (1.1 KB) - added by Nazgul 11 years ago.
login-test-cookie-r5735.patch (1.5 KB) - added by tellyworth 10 years ago.
2039.refreshed.diff (1.5 KB) - added by westi 10 years ago.
Refreshed patch

Download all attachments as: .zip

Change History (26)

#1 @sjmurdoch
12 years ago

  • Component changed from Administration to General
  • Severity changed from normal to major

#2 @sjmurdoch
12 years ago

  • Cc wptrac+Steven.Murdoch@… added

#3 @sjmurdoch
12 years ago

  • Cc sjmurdoch added; wptrac+Steven.Murdoch@… removed

@wendel279
12 years ago

JavaScript to notify user onLoad

#4 @wendel279
12 years ago

I figured a message informing the user that their cookies are disabled onLoad would work. What do you think?

#5 @markjaquith
12 years ago

Good idea, but the patch needs some serious work in terms of grammer and XHTML validity.

#6 @sjmurdoch
12 years ago

I am not sure if Javascript is the right way to go, since there is a good chance that people paranoid enough to turn off cookies will have turned off Javascript too.

The scheme I have used in the past was suggested in CGI Programming with Perl, and it doesn't rely on Javascript.

The login page checks for a cookie. If it is present, great, otherwise it sets a cookie then redirects to a cookie test page. If the cookie is set, it redirects back to the login page, otherwise it displays an error message. The book recommends that the redirection URL be an absolute path to avoid the webserver ignoring it.

#7 @Nazgul
11 years ago

  • Keywords dev-feedback added

Do we actually need to determine this programmatically or would a fixed footnote on the login page stating "requires cookies" be sufficient?

#8 @sjmurdoch
11 years ago

@Nazgul

For usability reasons, yes I think this should be caught programatically. Otherwise there is an extra message to read for the users who have cookies enabled. For those who do not, a static footnote could be easily missed, whereas a big error message would be clear.

@Nazgul
11 years ago

#9 @Nazgul
11 years ago

  • Milestone set to 2.1

First stab at a patch. Please shoot at it.

#10 @Nazgul
11 years ago

  • Owner changed from anonymous to Nazgul
  • Status changed from new to assigned

#11 @matt
11 years ago

  • Milestone changed from 2.1 to 2.2

#12 @foolswisdom
11 years ago

  • Milestone changed from 2.2 to 2.3

#13 @rob1n
11 years ago

  • Owner changed from Nazgul to rob1n
  • Status changed from assigned to new

#14 @rob1n
11 years ago

  • Keywords dev-feedback removed
  • Milestone changed from 2.3 to 2.4

#15 @rob1n
10 years ago

  • Milestone changed from 2.4 (future) to 2.3 (trunk)

#16 @rob1n
10 years ago

  • Status changed from new to assigned

#17 @tellyworth
10 years ago

login-test-cookie-r5735.patch takes a simpler server-side approach. Instead of a redirect, a test cookie is sent when the login form is displayed, and checked when the POST is processed.

#18 @foolswisdom
10 years ago

  • Keywords has-patch added

#19 @nbachiyski
10 years ago

I like the server-side approach more, but do we need to use as test content the password cookie? Isn't just a "test" enough?

@westi
10 years ago

Refreshed patch

#20 @westi
10 years ago

  • Owner changed from rob1n to westi
  • Status changed from assigned to new

I have updated the patch to address the concerns.

Test cookie is no-loger the password hash

I have also changed the error message to be more informative.

#21 @westi
10 years ago

Ok. I've slept on this and I think it should go in.

If people have issues with the error message then raise a new ticket to get it changed ;-)

#22 @westi
10 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [6009]) Inform the user when cookies are disabled and login fails. Fixed #2039 props tellyworth.

Note: See TracTickets for help on using tickets.