WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#42914 closed defect (bug) (invalid)

page visibility always acts like public, ignores password protection

Reported by: vccwebadmin Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.9.1
Component: General Keywords: close
Focuses: Cc:

Description

recently upgraded from wordpress 4.8.3 to 4.9.1. After the upgrade my website pages marked 'password protected' started allowing everyone to view them without prompting for password. Using theme 2017. seems like issue #23065 error, but for pages, not posts. Any thoughts?

Change History (3)

#1 @dd32
4 years ago

  • Keywords close reporter-feedback added

Hey @vccwebadmin and welcome to Trac

I've just tested this, and it's working as expected for me - do you have any security or caching plugins installed that might be affecting it? What about with all the plugins temporarily disabled?
Do you experience the same issue viewing the pages in Incognito/private mode in your browser?

There's been no other reports of it, and I can't see anything that would've affected it, so I'm more inclined to believe this may be caused by something on your site rather than a WordPress bug in general.

#2 follow-up: @vccwebadmin
4 years ago

Well, I discovered it will prompt for a password as long as I use a different device. Apparently, it is remembering my IP (a guess on my part) and not requiring the password if I ever logged in earlier from the same device. Perhaps this is intended, but I was expecting the password prompt. Sorry for a false alarm, if that behavior matches your expectations.

#3 in reply to: ↑ 2 @dd32
4 years ago

  • Keywords reporter-feedback removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Replying to vccwebadmin:

Well, I discovered it will prompt for a password as long as I use a different device. Apparently, it is remembering my IP (a guess on my part) and not requiring the password if I ever logged in earlier from the same device. Perhaps this is intended, but I was expecting the password prompt. Sorry for a false alarm, if that behavior matches your expectations.

This is intended.
The post password is stored in a per-browser cookie, and won't prompt you for it until it expires.
If you use the same password on multiple posts, it won't prompt you on those posts either.

Note: See TracTickets for help on using tickets.