Make WordPress Core

Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#24735 closed defect (bug) (fixed)

Login grace period

Reported by: azaozz's profile azaozz Owned by: azaozz's profile azaozz
Milestone: 3.7 Priority: normal
Severity: normal Version:
Component: Administration Keywords:
Focuses: Cc:

Description

After the cookies expire there is a "grace period" of one hour for POST and AJAX request. However this doesn't work when the user clicks "Remember Me" on the login screen. The cookies are set with the same expiration time as the $expiration component in them. When that time comes, the browser doesn't send the cookies and the $expired += HOUR_IN_SECONDS; is pointless. This works when the Remember Me in not checked as the cookies are set for the session, i.e. last as long as the browser is open.

Attachments (1)

24735.patch (903 bytes) - added by azaozz 11 years ago.

Download all attachments as: .zip

Change History (6)

#1 @azaozz
11 years ago

Best way to fix this would be to set the cookies expiration time longer than the $expiration component when "Remember Me" is checked. That will partially emulate the behavior when "Remember Me" is not checked, i.e. even if the cookies exceed our internal expiration time, the browsers will still send them.

By default that time is 14 days. Extending that by one day seems sufficient.

Last edited 11 years ago by azaozz (previous) (diff)

@azaozz
11 years ago

#2 @azaozz
11 years ago

  • Owner set to azaozz
  • Resolution set to fixed
  • Status changed from new to closed

In 25107:

Logging in: when the Remember Me checkbox is checked, make sure the browser continues to send the expired cookies so the "login grace period" for POST and AJAX requests works. Fixes #24735.

#3 @azaozz
11 years ago

  • Milestone changed from Future Release to 3.7

#4 @nacin
11 years ago

I think I weighed in on this in IRC: Can we just extend it by one hour, given that's the grace period? Why must it be 12 (or 24) hours?

#5 @azaozz
11 years ago

We can, but may miss some border cases where the user's computer clock is not set properly or the users hard-reset their computer clock when crossing timezones, etc. The 12 hours cover any differences between what the server thinks is the UTC time and what the user's computer thinks.

Last edited 11 years ago by azaozz (previous) (diff)
Note: See TracTickets for help on using tickets.