WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#27212 closed defect (bug) (duplicate)

Authentication Check on wp-login.php

Reported by: kenmoini Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.8.1
Component: Login and Registration Keywords:
Focuses: administration, performance Cc:
PR Number:

Description

Running 3.8.1 on a few sites that I've tested this with. At first I thought it was the OpenID plugin I was using, but I tested this issue with a vanilla WP installation as well and reproduced the same effect.

/wp-login.php will render the login form even when a user is already authenticated. I added these following lines to the /wp-login.php page injected at line 24:

if ( is_user_logged_in() ) {
	header("Location: /");
}

This will redirect the user to the main site root if the user is already authenticated and logged in while attempting to request /wp-login.php. When writing my own authentication mechanisms, I would never allow a user to reuse the login form when they're already authenticated. Allows for more issues to be produced as well as potential session vulnerabilities. I figure this should be a resolved issue for WP as well.

Change History (1)

#1 @helen
6 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #14949, #20639.

Note: See TracTickets for help on using tickets.