WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#27627 closed defect (bug) (fixed)

auth cookies lose their correct expiration date when changing password

Reported by: Denis-de-Bernardy Owned by: johnbillion
Milestone: 4.0 Priority: normal
Severity: normal Version: 2.0
Component: Login and Registration Keywords: 2nd-opinion has-patch
Focuses: administration Cc:

Description

To reproduce:

  1. Browse the site, and sign in with the remember me checkbox ticked
  2. Visit your profile in the admin area, and change your password
  3. Quit the browser (as in quit, rather than close the window, to ensure session cookies are cleared)
  4. Re-open the browser, and browse the site

Expected: still logged in
Actual: logged out

Attachments (2)

27627.diff (510 bytes) - added by jesin 7 years ago.
Set the $remember boolean when calling wp_set_auth_cookie() inside wp_update_user()
27627.2.diff (614 bytes) - added by jesin 7 years ago.
Retrieve the cookie lifetime via auth_cookie_expiration filter

Download all attachments as: .zip

Change History (11)

#1 @johnbillion
7 years ago

  • Focuses ui removed
  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to Future Release
  • Version changed from trunk to 2.5

Confirmed. Issue is here in wp_update_user(). The $remember parameter for wp_set_auth_cookie() isn't set.

Introduced in [6387].

Note: my User Switching plugin has a method for detecting whether the current user should be 'remembered' or not.

#2 @johnbillion
7 years ago

  • Version changed from 2.5 to 2.0

Actually, this was technically introduced way back in [2872].

@jesin
7 years ago

Set the $remember boolean when calling wp_set_auth_cookie() inside wp_update_user()

#3 @jesin
7 years ago

  • Focuses administration added
  • Keywords 2nd-opinion has-patch added; needs-patch removed

I created this patch based on johnbillion's User Switching plugin.

Is the auth_cookie_expiration filter needed here? If it is required we again run into the problem of setting its $remember boolean.

@jesin
7 years ago

Retrieve the cookie lifetime via auth_cookie_expiration filter

#4 @jesin
7 years ago

I understood that the auth_cookie_expiration filter is required, otherwise if the cookie lifetime was set to something more than 172800 a "Remember Me" cookie would be created when one changes their password !!!

However with this patch if the Non-Remember Me cookie's lifetime is set to something more than that of Remember Me's this bug appears.

Code to do that:

add_filter( 'auth_cookie_expiration', 'change_cookie_expiration_insanely', 10, 3);

function change_cookie_expiration_insanely( $time, $user_id, $remember ) {
        return ( $remember ? '3600' : '86400' );
}

But doing this achieves nothing other than modifying the Remember Me cookie's expires parameter, because WordPress sets $expire to 0 if $remember is false.

There is no other reliable way I could find for detecting if Remember Me was checked at login.

#5 @johnbillion
7 years ago

  • Milestone changed from Future Release to 4.0
  • Owner set to johnbillion
  • Status changed from new to accepted

#6 @DrewAPicture
7 years ago

@johnbillion: what's left here?

#7 @johnbillion
7 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 29043:

Persist the "Remember Me" state of the auth cookie when changing your own password. Props jesin. Fixes #27627.

#8 @johnbillion
7 years ago

We could do with a cookie abstraction layer that we can mock in unit tests so we can test stuff like this.

#9 @ocean90
7 years ago

In 29102:

Add missing filter doc, see [29043].

see #27627.

Note: See TracTickets for help on using tickets.