Opened 11 years ago
Closed 11 years ago
#27212 closed defect (bug) (duplicate)
Authentication Check on wp-login.php
Reported by: | kenmoini | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.8.1 |
Component: | Login and Registration | Keywords: | |
Focuses: | administration, performance | Cc: |
Description
Running 3.8.1 on a few sites that I've tested this with. At first I thought it was the OpenID plugin I was using, but I tested this issue with a vanilla WP installation as well and reproduced the same effect.
/wp-login.php will render the login form even when a user is already authenticated. I added these following lines to the /wp-login.php page injected at line 24:
if ( is_user_logged_in() ) { header("Location: /"); }
This will redirect the user to the main site root if the user is already authenticated and logged in while attempting to request /wp-login.php. When writing my own authentication mechanisms, I would never allow a user to reuse the login form when they're already authenticated. Allows for more issues to be produced as well as potential session vulnerabilities. I figure this should be a resolved issue for WP as well.
Duplicate of #14949, #20639.