WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 4 years ago

#29641 closed defect (bug) (fixed)

Password protected posts not working - secure cookie flag

Reported by: bajro Owned by: johnbillion
Milestone: 4.4 Priority: normal
Severity: normal Version: 4.0
Component: Login and Registration Keywords: has-patch
Focuses: Cc:
PR Number:

Description

Hello,

password protected posts no longer work on a http connection due to the secure cookie flag. What do you think about the following solution:

Index: wp-login.php
===================================================================
--- wp-login.php        (revision 545)
+++ wp-login.php        (working copy)
@@ -469,7 +469,7 @@
         * @param int $expires The expiry time, as passed to setcookie().
         */
        $expire = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );
-       $secure = ( 'https' === parse_url( home_url(), PHP_URL_SCHEME ) );
+       $secure = ( $secure_cookie ) ? ( 'https' === parse_url( home_url(), PHP_URL_SCHEME ) ) : false;
        setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure );

        wp_safe_redirect( wp_get_referer() );

Why force secure flag if user doesn't have SSL certificate?

BR,
--
Bajro

Attachments (1)

29641.diff (763 bytes) - added by johnbillion 4 years ago.

Download all attachments as: .zip

Change History (12)

#1 follow-up: @johnbillion
5 years ago

  • Keywords reporter-feedback added

Thanks for the report bajro.

The secure flag is only set when the home URL of your site uses HTTPS. What is your site configuration? Are you using HTTPS anywhere on your site?

#2 in reply to: ↑ 1 @bajro
5 years ago

Replying to johnbillion:

Thanks for the report bajro.

The secure flag is only set when the home URL of your site uses HTTPS. What is your site configuration? Are you using HTTPS anywhere on your site?

Yes, we are running WP multisite with domain mapping. Admin page for networkadmin and blog users is https, but blogs for each user (mapped or not) are http. We don't have SSL certificate for each blog we open.

#3 @bajro
5 years ago

  • Keywords reporter-feedback removed

#4 @bajro
5 years ago

Hello,

any kind of feedback would be appreciated.

BR

#5 @dd32
5 years ago

What's the value of home_url() in your configuration?

home_url() returns the URL used to view the site, if you don't have SSL configured, that should be a http url, and the cookie code you refer to should set the secure flag to false.

#6 @johnbillion
5 years ago

In addition to dd32's question, what is the URL you access when you log in to the site? Is it on the same domain and protocol, or a different one?

#7 @bajro
5 years ago

Yes sorry, should have mentioned that the first time. We are running domain mapping also. So what happens is in case:

www.our-wp.com/someweb/hidden/

This works and sets cookie.

If user has domain, and domain mapping is set than

www.hisdomain.com/hidden will redirect to www.our-wp.com/someotherweb/hidden/ and than back to www.hisdomain.com/hidden

And this is the case when setting cookie fails. This worked without problem in version 3.9.2.

#8 @bajro
5 years ago

This code above solves problem. Do you see any downsides of this solution?

#9 @johnbillion
4 years ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to 4.4
  • Owner set to johnbillion
  • Status changed from new to accepted

The solution here is actually to set the secure flag based on the scheme of the referer, as that's where the user is redirected to after entering their post password.

@johnbillion
4 years ago

#10 @johnbillion
4 years ago

  • Keywords has-patch added; needs-patch removed

Just needs a sanity check.

#11 @johnbillion
4 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 34932:

Correctly set the secure flag on the post password cookie based on the scheme of the referring URL, if it's available, instead of the home URL.

Fixes #29641

Note: See TracTickets for help on using tickets.