Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#21517 closed defect (bug) (duplicate)

Password protected posts have too long lifespan

Reported by: Clorith Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.4.1
Component: Security Keywords:
Focuses: Cc:


When creating a password protected post the access permissions are stored with cookies using wp-pass.php which defaults to 10 days.

This is too long of a lifetime for a protected page as subsequent visits within that timeframe allows anyone access to the protected content.

Ideally this should be a user definable value, either set per post, or on a global level for that WP instance.

Change History (5)

#1 @scribu
3 years ago

We could also just make it a session cookie, so that it expires right after the tab (or browser?) is closed.

#2 @Clorith
3 years ago

This is also a viable solution, I agree, and might even be a better approach as you don't need to worry about the cookie expiring while the user is using the site.

#3 @ocean90
3 years ago

Related: #21466

#4 @Viper007Bond
3 years ago

  • Resolution set to duplicate
  • Status changed from new to closed

#21466 is pretty similar to this and has a patch (although maybe not the best one). Let's combine forces.

#5 @Viper007Bond
3 years ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.