WordPress.org

Make WordPress Core

#24025 closed defect (bug) (invalid)

Calling is_user_logged_in() causes the "wordpress_logged_in[HASH]" cookie to be set.

Reported by: tomdkat Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.5.1
Component: Users Keywords:
Focuses: Cc:

Description

While troubleshooting some malfunctioning plugins, I discovered the "is_user_logged_in()" function causes the "wordpress_logged_in[HASH]" cookie to be set. The "is_user_logged_in()" function calls the "wp_validate_auth_cookie()" function, as part of its processing, and it's "wp_validate_auth_cookie()" which actually sets the logged in cookie. I'm reporting this behavior as a bug in "is_user_logged_in()" because I think "is_user_logged_in()" should simply check to see if the current user is logged in or not and not cause any cookies or status to be set or changed.

This behavior caused the W3 Total Cache and Login Security Solution plugins to not properly function in my Wordpress installation. The site in question has pages only and no blog. The custom theme being used called "is_user_logged_in()" to enable some links in the footer of the page if the current website visitor was logged in. Since my site has no blog, there would never be a case where a visitor would be "logged in" yet the call to "is_user_logged_in()" resulted in the "wordpress_logged_in[HASH]" cookie to be set.

You can see some discussion I had with the author of the "Login Security Solution" plugin here:

http://wordpress.org/support/topic/help-needed-with-login-security-solution-0340-problem

Currently, my custom theme has the call to "is_user_logged_in()" commented out so I'm not experiencing the problem. I can enable this call to gather some debugging information, if necessary.

The way I found the issue was using the "Live HTTP Headers" Firefox plugin to monitor the HTTP traffic between my browser and the server and I would see the "wordpress_logged_in[HASH]" cookie being referenced even though I never logged in to Wordpress, at that point.

Please let me know if there's anything else I can do to gather information regarding this issue.

Change History (3)

comment:1 SergeyBiryukov12 months ago

  • Component changed from General to Users
  • Keywords reporter-feedback added

Could not reproduce on a clean install. My steps:

  1. Log out. Clear the site cookies.
  2. Add echo is_user_logged_in(); to theme's header.php.
  3. Visit the site. No new cookies are created.

LOGGED_IN_COOKIE is only set in wp_set_auth_cookie():
http://core.trac.wordpress.org/browser/tags/3.5.1/wp-includes/pluggable.php#L640

By default, it's only called in wp_signon() and wp_update_user():
http://core.trac.wordpress.org/browser/tags/3.5.1/wp-includes/user.php#L63
http://core.trac.wordpress.org/browser/tags/3.5.1/wp-includes/user.php#L1480

Have you tested with all plugins disabled?

comment:2 tomdkat12 months ago

Thanks for the reply. Using your approach, I tried a different Wordpress installation using the default theme and no plugins installed other than what comes with Wordpress and what's activated by default. I was NOT able to recreate the problem. So, I went back to the site in question and deactivated all plugins and re-enabled the call to "is_user_logged_in()" and encountered the problem. I made sure to clear my browser cache and cookies before conducting all of my tests. I also captured the HTTP headers which show the cookie being set.

http://mysite.com/mysite/

GET /mysite/ HTTP/1.1
Host: mysite.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.mysite.com/
Connection: keep-alive

HTTP/1.1 200 OK
Date: Wed, 10 Apr 2013 14:38:45 GMT
Server: Apache
X-Pingback: http://mysite.com/mysite/xmlrpc.php
Set-Cookie: wordpress_8d21f(snip); expires=Wed, 24-Apr-2013 14:38:45 GMT; path=/mysite/wp-content/plugins; httponly
Set-Cookie: wordpress_8d21f(snip); expires=Wed, 24-Apr-2013 14:38:45 GMT; path=/mysite/wp-admin; httponly
Set-Cookie: wordpress_logged_in_8d21f(snip); expires=Wed, 24-Apr-2013 14:38:45 GMT; path=/mysite/; httponly
Cache-Control: max-age=1209600
Expires: Wed, 24 Apr 2013 14:38:45 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1890
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

So, it's got to be something local to my theme. This bug report can be closed. Sorry for wasting your time. :)

Thanks!

comment:3 SergeyBiryukov12 months ago

  • Keywords reporter-feedback removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.