#27627 closed defect (bug) (fixed)
auth cookies lose their correct expiration date when changing password
Reported by: | Denis-de-Bernardy | Owned by: | johnbillion |
---|---|---|---|
Milestone: | 4.0 | Priority: | normal |
Severity: | normal | Version: | 2.0 |
Component: | Login and Registration | Keywords: | 2nd-opinion has-patch |
Focuses: | administration | Cc: |
Description
To reproduce:
- Browse the site, and sign in with the remember me checkbox ticked
- Visit your profile in the admin area, and change your password
- Quit the browser (as in quit, rather than close the window, to ensure session cookies are cleared)
- Re-open the browser, and browse the site
Expected: still logged in
Actual: logged out
Attachments (2)
Change History (11)
#1
@
10 years ago
- Focuses ui removed
- Keywords needs-patch added
- Milestone changed from Awaiting Review to Future Release
- Version changed from trunk to 2.5
#2
@
10 years ago
- Version changed from 2.5 to 2.0
Actually, this was technically introduced way back in [2872].
#3
@
10 years ago
- Focuses administration added
- Keywords 2nd-opinion has-patch added; needs-patch removed
I created this patch based on johnbillion's User Switching plugin.
Is the auth_cookie_expiration
filter needed here? If it is required we again run into the problem of setting its $remember
boolean.
#4
@
10 years ago
I understood that the auth_cookie_expiration
filter is required, otherwise if the cookie lifetime was set to something more than 172800 a "Remember Me" cookie would be created when one changes their password !!!
However with this patch if the Non-Remember Me cookie's lifetime is set to something more than that of Remember Me's this bug appears.
Code to do that:
add_filter( 'auth_cookie_expiration', 'change_cookie_expiration_insanely', 10, 3); function change_cookie_expiration_insanely( $time, $user_id, $remember ) { return ( $remember ? '3600' : '86400' ); }
But doing this achieves nothing other than modifying the Remember Me cookie's expires parameter, because WordPress sets $expire
to 0
if $remember
is false
.
There is no other reliable way I could find for detecting if Remember Me was checked at login.
#5
@
10 years ago
- Milestone changed from Future Release to 4.0
- Owner set to johnbillion
- Status changed from new to accepted
Confirmed. Issue is here in wp_update_user(). The
$remember
parameter forwp_set_auth_cookie()
isn't set.Introduced in [6387].
Note: my User Switching plugin has a method for detecting whether the current user should be 'remembered' or not.