Opened 9 years ago
Last modified 6 years ago
#36317 new enhancement
Introduce a cookie prefix default constant
Reported by: | johnjamesjacoby | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Login and Registration | Keywords: | 2nd-opinion |
Focuses: | Cc: |
Description (last modified by )
Right now, all of WordPress's cookies are prefixed with the same wordpress
namespace. A problem arises with advanced-cache.php
caching solutions that load before wp_cookie_constants()
is called, where the cookie prefix cannot be guessed.
The current work around is to stab at each cookie individually:
// Auth cookie if ( defined( 'AUTH_COOKIE' ) && ( $this->cookie === AUTH_COOKIE ) ) { return true; } // User cookie if ( defined( 'USER_COOKIE' ) && ( $this->cookie === USER_COOKIE ) ) { return true; } // Logged-in cookie if ( defined( 'LOGGED_IN_COOKIE' ) && ( $this->cookie === LOGGED_IN_COOKIE ) ) { return true; }
And to special case the test cookie, like:
// Generic 'wordpress' cookies (that are not test cookies) if ( ( substr( $this->cookie, 0, 9 ) === 'wordpress' ) && ( $this->cookie !== 'wordpress_test_cookie' ) ) { return true; }
But without a known and trusted cookie prefix, it's still an unpredictable environment.
I'd like to re-propose an 8 year old issue (#6413) to introduce a new default constant to define a cookie prefix. This could turn the above snippet into something at least slightly more sane, like:
// Generic 'wordpress' cookies (that are not test cookies) if ( defined( 'COOKIEPREFIX' ) ) { $len = strlen( COOKIEPREFIX ); if ( substr( $this->cookie, 0, $len ) === COOKIEPREFIX ) && ( false !== strpos( $this->cookie, 'test_cookie', $len ) ) { return true; } }
A COOKIEPREFIX
constant would also allow plugins an easy way to drop themselves inside of WordPress's cookie namespace, which will help them play more nicely in environments where WordPress is not the only application within the domain.