WordPress.org

Make WordPress Core

Opened 10 months ago

Closed 8 months ago

Last modified 8 months ago

#24735 closed defect (bug) (fixed)

Login grace period

Reported by: azaozz Owned by: azaozz
Milestone: 3.7 Priority: normal
Severity: normal Version:
Component: Administration Keywords:
Focuses: Cc:

Description

After the cookies expire there is a "grace period" of one hour for POST and AJAX request. However this doesn't work when the user clicks "Remember Me" on the login screen. The cookies are set with the same expiration time as the $expiration component in them. When that time comes, the browser doesn't send the cookies and the $expired += HOUR_IN_SECONDS; is pointless. This works when the Remember Me in not checked as the cookies are set for the session, i.e. last as long as the browser is open.

Attachments (1)

24735.patch (903 bytes) - added by azaozz 8 months ago.

Download all attachments as: .zip

Change History (6)

comment:1 azaozz10 months ago

Best way to fix this would be to set the cookies expiration time longer than the $expiration component when "Remember Me" is checked. That will partially emulate the behavior when "Remember Me" is not checked, i.e. even if the cookies exceed our internal expiration time, the browsers will still send them.

By default that time is 14 days. Extending that by one day seems sufficient.

Last edited 10 months ago by azaozz (previous) (diff)

azaozz8 months ago

comment:2 azaozz8 months ago

  • Owner set to azaozz
  • Resolution set to fixed
  • Status changed from new to closed

In 25107:

Logging in: when the Remember Me checkbox is checked, make sure the browser continues to send the expired cookies so the "login grace period" for POST and AJAX requests works. Fixes #24735.

comment:3 azaozz8 months ago

  • Milestone changed from Future Release to 3.7

comment:4 nacin8 months ago

I think I weighed in on this in IRC: Can we just extend it by one hour, given that's the grace period? Why must it be 12 (or 24) hours?

comment:5 azaozz8 months ago

We can, but may miss some border cases where the user's computer clock is not set properly or the users hard-reset their computer clock when crossing timezones, etc. The 12 hours cover any differences between what the server thinks is the UTC time and what the user's computer thinks.

Last edited 8 months ago by azaozz (previous) (diff)
Note: See TracTickets for help on using tickets.