Opened 7 years ago
Closed 7 years ago
#44089 closed defect (bug) (fixed)
Clear post password cookie when logging out
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 4.9.7 | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Posts, Post Types | Keywords: | good-first-bug has-patch fixed-major |
| Focuses: | Cc: |
Description
I think it is expected behaviour that when a user logs out of WordPress, they are also "logged out" of viewing password protected posts for which they've entered the password. This is not the case. The wp-postpass_{hash} cookie is not cleared when a user logs out.
Example scenario:
- Log in to WordPress.
- Publish a password protected post.
- Navigate to the post permalink and enter the password to view the post.
- Log out of WordPress.
The password protected post is still viewable at its permalink, despite the user having just logged out. It's correct that viewing a password protected post is not tied to a user session, but I think most users would expect that after logging out of their account they would no longer be able to see the contents of a password protected post that they just published.
Previously: #32567
Related: There is no way for any user -- logged in or not -- to "log out" of viewing a password protected post. I'm sure there's an existing ticket for this but I can't find it.
Attachments (5)
Change History (14)
#2
in reply to:
↑ 1
@
7 years ago
- Keywords 2nd-opinion removed
Replying to subrataemfluence:
To my understanding, a Password Protected page and a so-called Private page should be treated differently. I see it other way round. In order to access a Password Protected page / post one doesn't have to be a registered user of the site.
Correct. This ticket has nothing to do with Private posts and pages, only password protected. This is just about clearing the password cookie when a logged-in user logs out.
#6
@
7 years ago
- Owner set to SergeyBiryukov
- Resolution set to fixed
- Status changed from new to closed
In 43317:
I think there is a slight difference between a Page/Post visible to logged in users, which we usually called as "Private Pages" and a Page/Post visible only by entering a Password which is applicable for that Page/Post only.
Let's take an example of a Password Protected Post/Page which sends an itemized Cost Proposal for organizing an event in company's auditorium. The authority does not want the Proposal to be visible to public, but those who applied for a booking are able to see it by means of entering a password set and provided by the company itself.
If the booking application has a section like "Ask for a Quote" and an Event Organizer sends an email to the webmaster from there, he can always do that even he is not a registered account holder of the site yet.
The webmaster/admin can then prepare a Password protected Page / Post with Cost Proposal and can then email the Page / Post link to Event Organizers with the password (set by the admin) required to open that page.
Although the Event Organizer is not a registered member of the site, he will still be able to access the page by entering the password, but others without it won't be able to see.
The Event Organizer company can have several staffs who have the power to deal with cost factors. If the manager of this company passes on the link and the password, they will be able to see it. Otherwise, either these employees need to have a separate account on the site or the manager has to share his own credential (if he has any) with his employee(s) to get them the access to see it.
Another example is when we receive our Credit Card bills, we don't have to login to any different systems (except our email), rather than just type in the password provided by the company to open the document.
To my understanding, a Password Protected page and a so-called Private page should be treated differently. I see it other way round. In order to access a Password Protected page / post one doesn't have to be a registered user of the site.
I would be happy to be corrected!