Opened 9 years ago
Closed 7 years ago
#32408 closed enhancement (worksforme)
Auth cookie expire vs expiration
Reported by: | walkinonwat3r | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 2.8 |
Component: | Login and Registration | Keywords: | reporter-feedback |
Focuses: | Cc: |
Description
We have the auth_cookie_expiration filter to extend the validity period of the cookie, but regardless of the value returned, the user's login always expires when the session ends, at latest.
Is there a security reason for not using auth_cookie_expiration's value as the cookie expiration? Or for not having a separate filter for the cookie expiration?
It seems a bit odd that I can set auth_cookie_expiration to sometime in 2020, but closing my browser will delete the cookie. I took a look at a couple sites in my bookmarks, and they seem split on this:
- Google + Facebook log you out on session close
- Github + Basecamp keep you logged in
Change History (3)
Note: See
TracTickets for help on using
tickets.
If you take a look at the source of wp_set_auth_cookie() you'll see that the actual cookie expiration time (the
$expire
variable) gets set to the value of the expiration time plus two hours. The cookie is only set to a per-session cookie if the user doesn't click the 'Remember me' checkbox when they log in.Do you have a plugin on your site which is overriding the
wp_set_auth_cookie()
function? Or do you have a custom login form which hides the 'Remember me' checkbox?