Make WordPress Core

Opened 9 years ago

Closed 7 years ago

#32408 closed enhancement (worksforme)

Auth cookie expire vs expiration

Reported by: walkinonwat3r's profile walkinonwat3r Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.8
Component: Login and Registration Keywords: reporter-feedback
Focuses: Cc:

Description

We have the auth_cookie_expiration filter to extend the validity period of the cookie, but regardless of the value returned, the user's login always expires when the session ends, at latest.

Is there a security reason for not using auth_cookie_expiration's value as the cookie expiration? Or for not having a separate filter for the cookie expiration?

It seems a bit odd that I can set auth_cookie_expiration to sometime in 2020, but closing my browser will delete the cookie. I took a look at a couple sites in my bookmarks, and they seem split on this:

  • Google + Facebook log you out on session close
  • Github + Basecamp keep you logged in

Change History (3)

#1 @johnbillion
9 years ago

  • Component changed from Users to Login and Registration
  • Keywords reporter-feedback added
  • Version changed from 4.2.2 to 2.8

If you take a look at the source of wp_set_auth_cookie() you'll see that the actual cookie expiration time (the $expire variable) gets set to the value of the expiration time plus two hours. The cookie is only set to a per-session cookie if the user doesn't click the 'Remember me' checkbox when they log in.

Do you have a plugin on your site which is overriding the wp_set_auth_cookie() function? Or do you have a custom login form which hides the 'Remember me' checkbox?

#2 @swissspidy
7 years ago

  • Keywords close added

#3 @SergeyBiryukov
7 years ago

  • Keywords close removed
  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.