Opened 8 years ago
Last modified 2 years ago
#39903 new defect (bug)
is_user_logged_in() true on ajax after cookie has been deleted
Reported by: | esemlabel | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | major | Version: | 4.7.2 |
Component: | Users | Keywords: | needs-patch |
Focuses: | Cc: |
Description
is_user_logged_in() will return true on ajax after cookie has been deleted manually in browser, until the session tokens expired or after destroy_sessions from admin for this user.
To reproduce on:
- Add ajax callback function with one checkup is_user_logged_in().
- Log in front-end.
- Clear browser cookie.
- Refresh page and run ajax. It will return true. But the var_dump( is_user_logged_in() ) on page will return correct false.
Even more: after deleting cookie and refreshing page, new wordpress_ cookie will appear again, maybe because of is_user_logged_in() check.
Proof on video attached using fresh wp install.
Attachments (1)
Change History (10)
#1
@
8 years ago
- Component changed from General to Users
I would suggest to adopt is_user_logged_in() function, so every time it returns false "true" - force to WP_User with ID 0:
<?php function is_user_logged_in() { $user = wp_get_current_user(); if( $user->exists() && ! wp_get_session_token() ){ wp_set_current_user( 0 ); return false; } return $user->exists(); }
Or perform this check inside wp_get_current_user(), which also used when checking nonce and many other things.
#3
@
8 years ago
Temporary fix for all POST type ajax actions:
<?php if ( wp_doing_ajax() && !empty( $_POST['action'] ) ) { add_action( 'wp_ajax_' . $_POST['action'], 'check_session_token_ajax', 1 ); add_action( 'wp_ajax_nopriv_' . $_POST['action'], 'check_session_token_ajax', 1 ); } function check_session_token_ajax() { if ( is_user_logged_in() && ! wp_get_session_token() ) { wp_set_current_user( 0 ); wp_clear_auth_cookie(); } }
#4
@
7 years ago
- Keywords needs-patch added
- Severity changed from normal to major
Any update on this? This bug makes AJAX scripts that determine user logged in status unusable in case visitors cleared their cookies.
#5
@
7 years ago
This sounds like a case where the front-end logged in cookies are removed, but the admin/ajax authentication cookies still exist (So the user would still have access to /wp-admin/
). Does that sound correct?
If that's the case, I'm not sure there's anything to do here - unless the admin was to check the front-end cookies still exist and are valid too?
#6
follow-up:
↓ 7
@
7 years ago
No, in this case the visitor/user wasn't allowed to visit /wp-admin/
. Just checked, when visiting /wp-admin/
, the browser get's redirected to /wp-login.php
.
We also logged the results of both is_user_logged_in()
and wp_get_current_user()
. In case of an AJAX call, these functions resulted in resp. true
and a WP_User
object containing the user data of the user which was logged in before clearing the cookies. In case of a regular call, these functions resulted in resp false
and an empty WP_User
object.
#7
in reply to:
↑ 6
@
7 years ago
Replying to ronald_edelschaap:
No, in this case the visitor/user wasn't allowed to visit
/wp-admin/
. Just checked, when visiting/wp-admin/
, the browser get's redirected to/wp-login.php
.
We also logged the results of both
is_user_logged_in()
andwp_get_current_user()
. In case of an AJAX call, these functions resulted in resp.true
and aWP_User
object containing the user data of the user which was logged in before clearing the cookies. In case of a regular call, these functions resulted in respfalse
and an emptyWP_User
object.
In that case I'm not actually sure of what is being reported here at all.
It sounds like the custom code / plugin in use to block access to /wp-admin/
is the issue in that case (Even the most basic authenticated user has access to admin-ajax.php/wp-admin).
#8
@
7 years ago
I'm sorry for not being clear. I meant that the visitor's browser gets redirected from wp-admin
to /wp-login.php
after clearing the cookies. He has access to /wp-admin/
when being logged in, but not anymore after clearing the cookies.
#9
@
2 years ago
Hello
This problem is still happening (WordPress 6.0.1) and I experienced EXACTLY like the thing that @esemlabel mentioned at first and I've also done the var_dump thing and saw that is correct but in ajax, it isn't.
The code at the #3 comment, solved my problem and I suggest that you add it to WordPress core.
Thanks.
Screen Cast