Opened 11 years ago
Closed 10 years ago
#29641 closed defect (bug) (fixed)
Password protected posts not working - secure cookie flag
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 4.4 | Priority: | normal |
Severity: | normal | Version: | 4.0 |
Component: | Login and Registration | Keywords: | has-patch |
Focuses: | Cc: |
Description
Hello,
password protected posts no longer work on a http connection due to the secure cookie flag. What do you think about the following solution:
Index: wp-login.php =================================================================== --- wp-login.php (revision 545) +++ wp-login.php (working copy) @@ -469,7 +469,7 @@ * @param int $expires The expiry time, as passed to setcookie(). */ $expire = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS ); - $secure = ( 'https' === parse_url( home_url(), PHP_URL_SCHEME ) ); + $secure = ( $secure_cookie ) ? ( 'https' === parse_url( home_url(), PHP_URL_SCHEME ) ) : false; setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure ); wp_safe_redirect( wp_get_referer() );
Why force secure flag if user doesn't have SSL certificate?
BR,
--
Bajro
Attachments (1)
Change History (12)
#2
in reply to:
↑ 1
@
11 years ago
Replying to johnbillion:
Thanks for the report bajro.
The secure flag is only set when the home URL of your site uses HTTPS. What is your site configuration? Are you using HTTPS anywhere on your site?
Yes, we are running WP multisite with domain mapping. Admin page for networkadmin and blog users is https, but blogs for each user (mapped or not) are http. We don't have SSL certificate for each blog we open.
#5
@
11 years ago
What's the value of home_url()
in your configuration?
home_url() returns the URL used to view the site, if you don't have SSL configured, that should be a http url, and the cookie code you refer to should set the secure flag to false.
#6
@
11 years ago
In addition to dd32's question, what is the URL you access when you log in to the site? Is it on the same domain and protocol, or a different one?
#7
@
11 years ago
Yes sorry, should have mentioned that the first time. We are running domain mapping also. So what happens is in case:
www.our-wp.com/someweb/hidden/
This works and sets cookie.
If user has domain, and domain mapping is set than
www.hisdomain.com/hidden will redirect to www.our-wp.com/someotherweb/hidden/ and than back to www.hisdomain.com/hidden
And this is the case when setting cookie fails. This worked without problem in version 3.9.2.
#9
@
10 years ago
- Keywords needs-patch added
- Milestone changed from Awaiting Review to 4.4
- Owner set to johnbillion
- Status changed from new to accepted
The solution here is actually to set the secure
flag based on the scheme of the referer, as that's where the user is redirected to after entering their post password.
Thanks for the report bajro.
The secure flag is only set when the home URL of your site uses HTTPS. What is your site configuration? Are you using HTTPS anywhere on your site?