WordPress.org

Make WordPress Core

Opened 4 years ago

Last modified 3 years ago

#27162 new defect (bug)

Don't store admin messages in transients

Reported by: rmccue Owned by:
Milestone: Awaiting Review Priority: low
Severity: normal Version: 3.0
Component: Administration Keywords:
Focuses: administration Cc:

Description

The settings errors API (add_settings_error/get_settings_errors) in core uses transients to store messages across requests. Unfortunately, this is a misuse of transients, as transients are not guaranteed to exist for any length of time.

I've noticed this issue appear in two separate scenarios:

  • When flushing the cache (after a deploy, e.g.): If you happen to flush the object cache between a add_settings_error call and the next page load, the message will disappear forever
  • When disabling caching for testing purposes, the error will never be set/read (depending on how you disable it)

There's a few options I can see to fix this:

  • Store them in options/usermeta: This keeps all the logic on the backend, but causes potentially costly writes to the database
  • Store them in cookies (session data): This avoids the database write, but means we have to send extra data via the HTTP server, which might be filtering cookies (inbound and outbound). It also means we need to set a hash using a secret key to avoid allowing users to edit their cookies.

Change History (4)

This ticket was mentioned in IRC in #wordpress-dev by rmccue. View the logs.


4 years ago

#3 @obenland
4 years ago

  • Version set to 3.0

Related: #11515.

It would be nice to have an API that uses cookies securely to port information from page load to page load. I talked with Andy Skelton about this in the context of #11515, he created a basic wrapper for that functionality in Jetpack.

Maybe we can use parts of that?

Last edited 4 years ago by obenland (previous) (diff)

This ticket was mentioned in Slack in #core by rmccue. View the logs.


3 years ago

Note: See TracTickets for help on using tickets.