id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc,focuses 42481,TEST_COOKIE and LOGGED_IN_COOKIE secure flag create issues on non-secure login,RavanH,,"Once a user has accessed the login form over https (possible without a valid ssl license, ignoring the browser warning) the WordPress TEST_COOKIE will have the secure flag set https://core.trac.wordpress.org/browser/trunk/src/wp-login.php#L433 When that user goes back to login over http, this will no longer be possible. The test cookie will be ignored by the browser because of the secure flag. Without the test cookie, all login attempts will be redirected back to the login form with a warning about cookies not being set by the browser. Most users will not know why this happens and will no longer be able to log in. The user will have to go back to https, open the developer toolbar, delete the cookie and then back to http. Only then the test cookie will be set again, this time without the secure flag. A work-around to prevent users from being locked out like this, is to make the test cookie name ""http/s aware"" with something like this in wp-config.php: {{{ $secure = ( isset($_SERVER['HTTPS']) && 'on' == $_SERVER['HTTPS'] ) ? '_sec' : ''; define( 'TEST_COOKIE', 'wordpress' . $secure . '_test_cookie' ); }}} (using wordpress_sec for secure cookie similar to the auth cookie) But... the real question is: '''Why does the test cookie need the secure flag at all?''' There is no sensitive information passed and it's only there to (as the name suggests) test for cookie unaware or blocking browsers. At least as far as I can tell, there would be no possible problem with simply removing this cookies secure flag. This will not affect any sensitive login/session cookies secure flags. Or am I mistaken? Are there use cases where the browser can be set to accept cookies over https while blocking them over http? ",defect (bug),new,low,Awaiting Review,Login and Registration,4.9,normal,,,,