WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 2 years ago

#39903 new defect (bug)

is_user_logged_in() true on ajax after cookie has been deleted

Reported by: esemlabel Owned by:
Milestone: Awaiting Review Priority: normal
Severity: major Version: 4.7.2
Component: Users Keywords: needs-patch
Focuses: Cc:
PR Number:

Description

is_user_logged_in() will return true on ajax after cookie has been deleted manually in browser, until the session tokens expired or after destroy_sessions from admin for this user.

To reproduce on:

  1. Add ajax callback function with one checkup is_user_logged_in().
  2. Log in front-end.
  3. Clear browser cookie.
  4. Refresh page and run ajax. It will return true. But the var_dump( is_user_logged_in() ) on page will return correct false.

Even more: after deleting cookie and refreshing page, new wordpress_ cookie will appear again, maybe because of is_user_logged_in() check.

Proof on video attached using fresh wp install.

Attachments (1)

Feb 17 2017 4-33 PM.zip (9.9 MB) - added by esemlabel 3 years ago.
Screen Cast

Change History (9)

@esemlabel
3 years ago

Screen Cast

#1 @esemlabel
3 years ago

  • Component changed from General to Users

I would suggest to adopt is_user_logged_in() function, so every time it returns false "true" - force to WP_User with ID 0:

<?php
function is_user_logged_in() {
    
    $user = wp_get_current_user();
    
    if( $user->exists() && empty( wp_get_session_token() ) ){
        wp_set_current_user( 0 );
        return false;
    }
    
    return $user->exists();
    
}
Version 0, edited 3 years ago by esemlabel (next)

#3 @esemlabel
3 years ago

Temporary fix for all POST type ajax actions:

<?php
if ( wp_doing_ajax() && !empty( $_POST['action'] ) ) {
    add_action( 'wp_ajax_' . $_POST['action'], 'check_session_token_ajax', 1 );
    add_action( 'wp_ajax_nopriv_' . $_POST['action'], 'check_session_token_ajax', 1 );
}

function check_session_token_ajax() {
    
    if ( is_user_logged_in() && ! wp_get_session_token() ) {
        wp_set_current_user( 0 );
        wp_clear_auth_cookie();
    }
    
}
Last edited 3 years ago by esemlabel (previous) (diff)

#4 @ronald_edelschaap
2 years ago

  • Keywords needs-patch added
  • Severity changed from normal to major

Any update on this? This bug makes AJAX scripts that determine user logged in status unusable in case visitors cleared their cookies.

#5 @dd32
2 years ago

This sounds like a case where the front-end logged in cookies are removed, but the admin/ajax authentication cookies still exist (So the user would still have access to /wp-admin/). Does that sound correct?

If that's the case, I'm not sure there's anything to do here - unless the admin was to check the front-end cookies still exist and are valid too?

#6 follow-up: @ronald_edelschaap
2 years ago

No, in this case the visitor/user wasn't allowed to visit /wp-admin/. Just checked, when visiting /wp-admin/, the browser get's redirected to /wp-login.php.

We also logged the results of both is_user_logged_in() and wp_get_current_user(). In case of an AJAX call, these functions resulted in resp. true and a WP_User object containing the user data of the user which was logged in before clearing the cookies. In case of a regular call, these functions resulted in resp false and an empty WP_User object.

#7 in reply to: ↑ 6 @dd32
2 years ago

Replying to ronald_edelschaap:

No, in this case the visitor/user wasn't allowed to visit /wp-admin/. Just checked, when visiting /wp-admin/, the browser get's redirected to /wp-login.php.

We also logged the results of both is_user_logged_in() and wp_get_current_user(). In case of an AJAX call, these functions resulted in resp. true and a WP_User object containing the user data of the user which was logged in before clearing the cookies. In case of a regular call, these functions resulted in resp false and an empty WP_User object.

In that case I'm not actually sure of what is being reported here at all.
It sounds like the custom code / plugin in use to block access to /wp-admin/ is the issue in that case (Even the most basic authenticated user has access to admin-ajax.php/wp-admin).

#8 @ronald_edelschaap
2 years ago

I'm sorry for not being clear. I meant that the visitor's browser gets redirected from wp-admin to /wp-login.php after clearing the cookies. He has access to /wp-admin/ when being logged in, but not anymore after clearing the cookies.

Note: See TracTickets for help on using tickets.