Make WordPress Core

Opened 11 years ago

Closed 10 years ago

#29641 closed defect (bug) (fixed)

Password protected posts not working - secure cookie flag

Reported by: bajro's profile bajro Owned by: johnbillion's profile johnbillion
Milestone: 4.4 Priority: normal
Severity: normal Version: 4.0
Component: Login and Registration Keywords: has-patch
Focuses: Cc:

Description

Hello,

password protected posts no longer work on a http connection due to the secure cookie flag. What do you think about the following solution:

Index: wp-login.php
===================================================================
--- wp-login.php        (revision 545)
+++ wp-login.php        (working copy)
@@ -469,7 +469,7 @@
         * @param int $expires The expiry time, as passed to setcookie().
         */
        $expire = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );
-       $secure = ( 'https' === parse_url( home_url(), PHP_URL_SCHEME ) );
+       $secure = ( $secure_cookie ) ? ( 'https' === parse_url( home_url(), PHP_URL_SCHEME ) ) : false;
        setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure );

        wp_safe_redirect( wp_get_referer() );

Why force secure flag if user doesn't have SSL certificate?

BR,
--
Bajro

Attachments (1)

29641.diff (763 bytes) - added by johnbillion 10 years ago.

Download all attachments as: .zip

Change History (12)

#1 follow-up: @johnbillion
11 years ago

  • Keywords reporter-feedback added

Thanks for the report bajro.

The secure flag is only set when the home URL of your site uses HTTPS. What is your site configuration? Are you using HTTPS anywhere on your site?

#2 in reply to: ↑ 1 @bajro
11 years ago

Replying to johnbillion:

Thanks for the report bajro.

The secure flag is only set when the home URL of your site uses HTTPS. What is your site configuration? Are you using HTTPS anywhere on your site?

Yes, we are running WP multisite with domain mapping. Admin page for networkadmin and blog users is https, but blogs for each user (mapped or not) are http. We don't have SSL certificate for each blog we open.

#3 @bajro
11 years ago

  • Keywords reporter-feedback removed

#4 @bajro
11 years ago

Hello,

any kind of feedback would be appreciated.

BR

#5 @dd32
11 years ago

What's the value of home_url() in your configuration?

home_url() returns the URL used to view the site, if you don't have SSL configured, that should be a http url, and the cookie code you refer to should set the secure flag to false.

#6 @johnbillion
11 years ago

In addition to dd32's question, what is the URL you access when you log in to the site? Is it on the same domain and protocol, or a different one?

#7 @bajro
11 years ago

Yes sorry, should have mentioned that the first time. We are running domain mapping also. So what happens is in case:

www.our-wp.com/someweb/hidden/

This works and sets cookie.

If user has domain, and domain mapping is set than

www.hisdomain.com/hidden will redirect to www.our-wp.com/someotherweb/hidden/ and than back to www.hisdomain.com/hidden

And this is the case when setting cookie fails. This worked without problem in version 3.9.2.

#8 @bajro
10 years ago

This code above solves problem. Do you see any downsides of this solution?

#9 @johnbillion
10 years ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to 4.4
  • Owner set to johnbillion
  • Status changed from new to accepted

The solution here is actually to set the secure flag based on the scheme of the referer, as that's where the user is redirected to after entering their post password.

@johnbillion
10 years ago

#10 @johnbillion
10 years ago

  • Keywords has-patch added; needs-patch removed

Just needs a sanity check.

#11 @johnbillion
10 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 34932:

Correctly set the secure flag on the post password cookie based on the scheme of the referring URL, if it's available, instead of the home URL.

Fixes #29641

Note: See TracTickets for help on using tickets.