WordPress.org

Make WordPress Core

Opened 21 months ago

Closed 21 months ago

Last modified 21 months ago

#21517 closed defect (bug) (duplicate)

Password protected posts have too long lifespan

Reported by: Clorith Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.4.1
Component: Security Keywords:
Focuses: Cc:

Description

When creating a password protected post the access permissions are stored with cookies using wp-pass.php which defaults to 10 days.

This is too long of a lifetime for a protected page as subsequent visits within that timeframe allows anyone access to the protected content.

Ideally this should be a user definable value, either set per post, or on a global level for that WP instance.

Change History (5)

comment:1 scribu21 months ago

We could also just make it a session cookie, so that it expires right after the tab (or browser?) is closed.

comment:2 Clorith21 months ago

This is also a viable solution, I agree, and might even be a better approach as you don't need to worry about the cookie expiring while the user is using the site.

comment:4 Viper007Bond21 months ago

  • Resolution set to duplicate
  • Status changed from new to closed

#21466 is pretty similar to this and has a patch (although maybe not the best one). Let's combine forces.

comment:5 Viper007Bond21 months ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.