WordPress.org

Make WordPress Core

Opened 12 months ago

Closed 11 months ago

Last modified 11 months ago

#37333 closed defect (bug) (worksforme)

Cookie remains valid after post password is changed

Reported by: henry.wright Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Posts, Post Types Keywords:
Focuses: Cc:

Description

If a user enters a correct password on a password protected post, a cookie is set which gives that user access to the post content. If the site admin then changes the post password, I'd expect access to be revoked from users who entered the old password. However, that doesn't happen.

Change History (2)

#1 @johnbillion
11 months ago

  • Component changed from General to Posts, Post Types
  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed

Thanks for the report.

When a user enters a password for a password protected post, the password is stored encrypted in the wp-postpass cookie. If the password on the post changes, the cookie no longer contains the correct encrypted password. I've tested this behaviour, and the password protected post becomes unavailable again once the password is changed.

I suspect your issue is related to caching, either at the network level or at the browser level. I'd take a look at that as a first point of debugging.

#2 @henry.wright
11 months ago

Hi John

Thanks for pointing out network level caching. I suspect that could be why I had continued access to the content after a password change.

Note: See TracTickets for help on using tickets.