WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 2 years ago

#29594 new defect (bug)

Basic Cookie Authentication from External Database

Reported by: LPH2005 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.0
Component: Role/Capability Keywords: needs-patch needs-testing
Focuses: Cc:

Description

Several bridges (WP plugins) linking different forum software packages rely on the wp_set_auth_cookie($user_id,0,0) to get the user logged into WordPress. With the change in WP 4.0, this single line no longer works. Instead, the user is logged into the site but can no longer publish a post or page, nor update a plugin etc. Whereas the same user would be able to do all those things in 3.9.2 and below.

I've come across this issue for three different bridges.

The change is the addition of the token.

[Suggestion] Maybe there needs to be some instruction in the documents on how WP developers want the external authorization to happen for login plus capabilities to post.

Is this a bug with just the single line (wp_set_auth_cookie) not functioning as intended or do devs expect plugin developers to use other lines of code to get the user logged in .. and authorized to publish, post, etc. ?

Change History (10)

#1 @SergeyBiryukov
3 years ago

With the change in WP 4.0, this single line no longer works. Instead, the user is logged into the site but can no longer publish a post or page, nor update a plugin etc.

Could not reproduce. wp_set_auth_cookie() still works as expected for me in 4.0.

#2 follow-up: @LPH2005
3 years ago

@Sergey - I really appreciate you looking but what do you mean "still works as expected" ... what did you do? Sorry but the post is too vague.

Did you use an external database of users and have the user login as well as publish a post? Or did you do something else?

The point is that three different bridges now fail under WP 4.0. The nonce blocks the publishing. Yes, the user can log into the WP site.

If you did get an external database to work then what code did you use and maybe it should be added to the documentation.

#3 in reply to: ↑ 2 ; follow-up: @nacin
3 years ago

Replying to LPH2005:

@Sergey - I really appreciate you looking but what do you mean "still works as expected" ... what did you do? Sorry but the post is too vague.

Could you be more specific with what plugins you're referring to? I imagine SergeyBiryukov included wp-load.php and called wp_set_auth_cookie() and found that the cookie got set. That worked for me as well.

The point is that three different bridges now fail under WP 4.0. The nonce blocks the publishing. Yes, the user can log into the WP site.

Are you saying that you are getting nonce failures, or authentication failures? If nonces are failing, that's a bit different.

#4 in reply to: ↑ 3 @LPH2005
3 years ago

Replying to nacin:

Could you be more specific with what plugins you're referring to? I imagine SergeyBiryukov included wp-load.php and called wp_set_auth_cookie() and found that the cookie got set. That worked for me as well.

The plugins are bridges for forum users to publish on WordPress. For example, XenWord bridges XenForo and WordPress. This bridge worked through 4.0 beta 1 but now fails with the "Are you sure you want to do this?" error when the user (from XenForo) attempts to publish, update a plugin or theme. The user is logged into WP and can go to the admin panel as well as post comments. So - authentication happens and the user can go to the admin panel but receives a nonce error ("Are you sure ...")

Sorry, this is my first time using trac and wasn't sure how to describe the problem.

I can overcome this error by simply adding a wp_verify_nonce function setting everything always to 1. This isn't a good idea but overcomes the problem and the forum user can then publish a post, update plugins, etc.

So, I return to my original question. The changes in 4.0 no longer allow the developer to simply use wp_set_auth_cookie to get a user to publish. What else is to be used to log a user into the WP admin panel AND allow publishing, updating ....?

I hope that is clear.

If this is not related to wp_set_auth_cookie, where is the token for the nonce supposed to be set?

#5 @kburkhardt
3 years ago

I can confirm that I also have this exact problem with an internal authentication plugin.

Users are logged in as expected with the appropriate roles, but are no longer able to make changes. It's been things like changing user roles, enabling plugins and disabling plugins. I've been pouring through the code looking for what has been changed without much luck so far.

The core of the code that has been working until now is below: (uid is an internal number we have added to usermeta)

    $user = get_user_by('uid', $uidHeader);
    wp_set_current_user( $user->ID );
    wp_set_auth_cookie( $user->ID , 1);

There seems to be something new required in the mix now that I have been unable to find documentation for.

#6 @dd32
3 years ago

I can't duplicate this either.

This code in a mu-plugin works for me, and allows me to edit existing posts, create new posts, nonces pass, etc.

// http://example.com/wordpress/?login=admin
add_action( 'init', function() {

	if ( isset( $_GET['login'] ) ) {
		$user = get_user_by( 'login', $_GET['login'] );
		wp_set_current_user( $user->ID );
		wp_set_auth_cookie( $user->ID , 1 );
	}

} );

@kburkhardt: I notice you're using this: get_user_by('uid', $uidHeader); which won't work, WordPress has no 'uid' field, it's 'id' that you want there.

For example, XenWord bridges XenForo and WordPress.

Appears that theres a new release of XenWord in beta testing with 4.0 compatibility - It seems it was calling wp_update_user() after login which was invalidating the sessions, I don't have access to the code so I can't determine how it was failing, or if it was a WordPress issue.

#7 @here
3 years ago

Same issue, persists.

Login using plugin during after_setup_theme hook

    wp_set_current_user($user_id, $username);
    wp_set_auth_cookie($user_id, 1);

Following successful login, any admin action results in the nonce error. Activate plugins, change user permissions, etc.

Relates to https://core.trac.wordpress.org/ticket/20276

See also:
http://wordpress.stackexchange.com/questions/160569/wordpress-4-0-cookie-authentication-to-avoid-nonce-error-when-publishing-a-post
http://wordpress.stackexchange.com/questions/160237/security-error-wp-4-0-wp-phpbb-bridge

#8 @here
3 years ago

This worked for me: Create a new token and update the the user's session info with the WP_Session_Tokens class.

$sessionManager = WP_Session_Tokens::get_instance( $user_id );
$token = $sessionManager->create(time() + (1 * 24 * 60 * 60));
$session = $sessionManager->get($token);
$sessionManager->update($token,$session);

#9 @here
3 years ago

The WP_Session_Tokens technique failed after further testing. The issue turned out to be related to trying to login a user who was already logged in. After adding a test to avoid trying to re-login the same user, I was able to remove *all* cookie and session handling entirely and rely only on a single call to wp_set_current_user

#10 @chriscct7
2 years ago

  • Keywords needs-patch needs-testing added
Note: See TracTickets for help on using tickets.