Make WordPress Core

Opened 17 years ago

Closed 16 years ago

#2039 closed defect (bug) (fixed)

Wordpress fails silently when cookies are disabled

Reported by: sjmurdoch's profile sjmurdoch Owned by: westi's profile westi
Milestone: 2.3 Priority: normal
Severity: major Version: 2.0
Component: General Keywords: has-patch
Focuses: Cc:


If a user has disabled cookies then on logging in the user is
returned to the login page without any error message being displayed.

Wordpress should preferably be able to work with cookies disabled,
but at the very least should display an understandable error message
when the user has done this.

Steps to reproduce:

  1. Disable accepting cookies in web browser
  2. Go to http://<wordpress>/wp-login.php
  3. Enter valid login username and password
  4. Click "Login >>"
  5. User is returned to wp-login.php without error message
  • Version tested: wordpress-2.0-RC1
  • PHP version: 4.1.2-7.woody5
  • Operating system: Debian GNU/Linux 3.0

Attachments (4)

2039.diff (1.6 KB) - added by wendel279 17 years ago.
JavaScript to notify user onLoad
2039b.diff (1.1 KB) - added by Nazgul 17 years ago.
login-test-cookie-r5735.patch (1.5 KB) - added by tellyworth 16 years ago.
2039.refreshed.diff (1.5 KB) - added by westi 16 years ago.
Refreshed patch

Download all attachments as: .zip

Change History (26)

#1 @sjmurdoch
17 years ago

  • Component changed from Administration to General
  • Severity changed from normal to major

#2 @sjmurdoch
17 years ago

  • Cc wptrac+Steven.Murdoch@… added

#3 @sjmurdoch
17 years ago

  • Cc sjmurdoch added; wptrac+Steven.Murdoch@… removed

17 years ago

JavaScript to notify user onLoad

#4 @wendel279
17 years ago

I figured a message informing the user that their cookies are disabled onLoad would work. What do you think?

#5 @markjaquith
17 years ago

Good idea, but the patch needs some serious work in terms of grammer and XHTML validity.

#6 @sjmurdoch
17 years ago

I am not sure if Javascript is the right way to go, since there is a good chance that people paranoid enough to turn off cookies will have turned off Javascript too.

The scheme I have used in the past was suggested in CGI Programming with Perl, and it doesn't rely on Javascript.

The login page checks for a cookie. If it is present, great, otherwise it sets a cookie then redirects to a cookie test page. If the cookie is set, it redirects back to the login page, otherwise it displays an error message. The book recommends that the redirection URL be an absolute path to avoid the webserver ignoring it.

#7 @Nazgul
17 years ago

  • Keywords dev-feedback added

Do we actually need to determine this programmatically or would a fixed footnote on the login page stating "requires cookies" be sufficient?

#8 @sjmurdoch
17 years ago


For usability reasons, yes I think this should be caught programatically. Otherwise there is an extra message to read for the users who have cookies enabled. For those who do not, a static footnote could be easily missed, whereas a big error message would be clear.

17 years ago

#9 @Nazgul
17 years ago

  • Milestone set to 2.1

First stab at a patch. Please shoot at it.

#10 @Nazgul
17 years ago

  • Owner changed from anonymous to Nazgul
  • Status changed from new to assigned

#11 @matt
17 years ago

  • Milestone changed from 2.1 to 2.2

#12 @foolswisdom
16 years ago

  • Milestone changed from 2.2 to 2.3

#13 @rob1n
16 years ago

  • Owner changed from Nazgul to rob1n
  • Status changed from assigned to new

#14 @rob1n
16 years ago

  • Keywords dev-feedback removed
  • Milestone changed from 2.3 to 2.4

#15 @rob1n
16 years ago

  • Milestone changed from 2.4 (future) to 2.3 (trunk)

#16 @rob1n
16 years ago

  • Status changed from new to assigned

#17 @tellyworth
16 years ago

login-test-cookie-r5735.patch takes a simpler server-side approach. Instead of a redirect, a test cookie is sent when the login form is displayed, and checked when the POST is processed.

#18 @foolswisdom
16 years ago

  • Keywords has-patch added

#19 @nbachiyski
16 years ago

I like the server-side approach more, but do we need to use as test content the password cookie? Isn't just a "test" enough?

16 years ago

Refreshed patch

#20 @westi
16 years ago

  • Owner changed from rob1n to westi
  • Status changed from assigned to new

I have updated the patch to address the concerns.

Test cookie is no-loger the password hash

I have also changed the error message to be more informative.

#21 @westi
16 years ago

Ok. I've slept on this and I think it should go in.

If people have issues with the error message then raise a new ticket to get it changed ;-)

#22 @westi
16 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [6009]) Inform the user when cookies are disabled and login fails. Fixed #2039 props tellyworth.

Note: See TracTickets for help on using tickets.