Password protected posts not working - secure cookie flag

[bajro]

Hello,

password protected posts no longer work on a http connection due to the secure cookie flag. What do you think about the following solution:

Index: wp-login.php
===================================================================
--- wp-login.php        (revision 545)
+++ wp-login.php        (working copy)
@@ -469,7 +469,7 @@
         * @param int $expires The expiry time, as passed to setcookie().
         */
        $expire = apply_filters( 'post_password_expires', time() + 10 * DAY_IN_SECONDS );
-       $secure = ( 'https' === parse_url( home_url(), PHP_URL_SCHEME ) );
+       $secure = ( $secure_cookie ) ? ( 'https' === parse_url( home_url(), PHP_URL_SCHEME ) ) : false;
        setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ), $expire, COOKIEPATH, COOKIE_DOMAIN, $secure );

        wp_safe_redirect( wp_get_referer() );

Why force secure flag if user doesn't have SSL certificate?

BR,
--
Bajro

[johnbillion]

Thanks for the report bajro.

The secure flag is only set when the home URL of your site uses HTTPS. What is your site configuration? Are you using HTTPS anywhere on your site?

[bajro]

Replying to johnbillion:

Thanks for the report bajro.

The secure flag is only set when the home URL of your site uses HTTPS. What is your site configuration? Are you using HTTPS anywhere on your site?

Yes, we are running WP multisite with domain mapping. Admin page for networkadmin and blog users is https, but blogs for each user (mapped or not) are http. We don't have SSL certificate for each blog we open.

[bajro]

Hello,

any kind of feedback would be appreciated.

BR

[dd32]

What's the value of home_url() in your configuration?

home_url() returns the URL used to view the site, if you don't have SSL configured, that should be a http url, and the cookie code you refer to should set the secure flag to false.

[johnbillion]

In addition to dd32's question, what is the URL you access when you log in to the site? Is it on the same domain and protocol, or a different one?

[bajro]

Yes sorry, should have mentioned that the first time. We are running domain mapping also. So what happens is in case:

www.our-wp.com/someweb/hidden/

This works and sets cookie.

If user has domain, and domain mapping is set than

www.hisdomain.com/hidden will redirect to www.our-wp.com/someotherweb/hidden/ and than back to www.hisdomain.com/hidden

And this is the case when setting cookie fails. This worked without problem in version 3.9.2.

[bajro]

This code above solves problem. Do you see any downsides of this solution?

[johnbillion]

The solution here is actually to set the secure flag based on the scheme of the referer, as that's where the user is redirected to after entering their post password.

[johnbillion]

Just needs a sanity check.

[johnbillion]

In 34932:

Correctly set the secure flag on the post password cookie based on the scheme of the referring URL, if it's available, instead of the home URL.

Fixes #29641