Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#24735 closed defect (bug) (fixed)

Login grace period

Reported by: azaozz Owned by: azaozz
Milestone: 3.7 Priority: normal
Severity: normal Version:
Component: Administration Keywords:
Focuses: Cc:


After the cookies expire there is a "grace period" of one hour for POST and AJAX request. However this doesn't work when the user clicks "Remember Me" on the login screen. The cookies are set with the same expiration time as the $expiration component in them. When that time comes, the browser doesn't send the cookies and the $expired += HOUR_IN_SECONDS; is pointless. This works when the Remember Me in not checked as the cookies are set for the session, i.e. last as long as the browser is open.

Attachments (1)

24735.patch (903 bytes) - added by azaozz 5 years ago.

Download all attachments as: .zip

Change History (6)

#1 @azaozz
5 years ago

Best way to fix this would be to set the cookies expiration time longer than the $expiration component when "Remember Me" is checked. That will partially emulate the behavior when "Remember Me" is not checked, i.e. even if the cookies exceed our internal expiration time, the browsers will still send them.

By default that time is 14 days. Extending that by one day seems sufficient.

Last edited 5 years ago by azaozz (previous) (diff)

5 years ago

#2 @azaozz
5 years ago

  • Owner set to azaozz
  • Resolution set to fixed
  • Status changed from new to closed

In 25107:

Logging in: when the Remember Me checkbox is checked, make sure the browser continues to send the expired cookies so the "login grace period" for POST and AJAX requests works. Fixes #24735.

#3 @azaozz
5 years ago

  • Milestone changed from Future Release to 3.7

#4 @nacin
5 years ago

I think I weighed in on this in IRC: Can we just extend it by one hour, given that's the grace period? Why must it be 12 (or 24) hours?

#5 @azaozz
5 years ago

We can, but may miss some border cases where the user's computer clock is not set properly or the users hard-reset their computer clock when crossing timezones, etc. The 12 hours cover any differences between what the server thinks is the UTC time and what the user's computer thinks.

Last edited 5 years ago by azaozz (previous) (diff)
Note: See TracTickets for help on using tickets.