Make WordPress Core

Opened 5 years ago

Last modified 8 months ago

#47088 reopened defect (bug)

Visting wp-login.php whilst logged in logs you out

Reported by: lev0's profile lev0 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.0
Component: Login and Registration Keywords:
Focuses: Cc:

Description

I leave multiple, regularly-used WP admin tabs open in a browser window. The login sessions time out, as expected, resulting in tabs with URLs like https://example.com/wp-login.php?redirect_to=https%3A%2F%2Fexample.com%2Fwp-admin%2Fadmin.php%3Fpage%3Dfoo-bar&reauth=1

If log in on such a tab to do something, then switch to another tab that also has that type of auto-logged-out URL, I am immediately logged out of the site.

I would expect WP to realise that I am logged in and simply honour the redirect already in the URL, or at least provide the choice of logging out or going to the redirect page/dashboard.

Change History (8)

#1 @swissspidy
5 years ago

  • Component changed from General to Login and Registration
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Thanks, we are already tracking this in #14949.

#2 @SergeyBiryukov
5 years ago

  • Milestone set to Awaiting Review
  • Resolution duplicate deleted
  • Status changed from closed to reopened

I think this ticket is different from #14949. That one is about getting an inaccurate "You are now logged out" message on the login page without actually being logged out.

This one is about the login page forcibly clearing cookies if reauth flag is set, see [14556]. Whether or not it's the intended behavior is up for discussion.

#3 @SergeyBiryukov
5 years ago

Whether or not it's the intended behavior is up for discussion.

Per comment:33:ticket:12142, it appears to be.

Last edited 5 years ago by SergeyBiryukov (previous) (diff)

#4 @SergeyBiryukov
5 years ago

  • Version changed from trunk to 3.0

#5 @lev0
11 months ago

I understand the reauth process has an important function but its indifferent to time. Any subsequent login invalidates that state in reality, but the login page still performs a naive boolean test. I've submitted a plugin (awaiting review) to resolve the issue, and preserve genuine reauth requests, but I believe it'd be better if core took care of this.

#6 @lev0
11 months ago

https://wordpress.org/plugins/stop-logging-me-out/

Makes reauth a timestamp so it can be invalidated, and sets a cookie (only available to the login page) to which it can be compared.

#7 @rajinsharwar
8 months ago

Following on this old reported bug, as per my suggestion, this does of course seem to be an issue to me. One of the main reasons is, using this, any user can be logged out simply by visiting a URL, no nounces were needed to make any current user log out. Anyone can make any user logout form his current state by just making him visit the URL.

My Proposal:

Let's continue displaying the login page whenever that URL "https://example.com/wp-login.php?redirect_to=https%3A%2F%2Fexample.com%2Fwp-admin%2Fadmin.php%3Fpage%3Dfoo-bar&reauth=1" is visited. But, visiting that URL with the reauth flag being set shouldn't clear out the cookies. Instead, we can follow here the approach that's decided for #14949 whenever anyone wants to visit the URL while being logged in.

Requesting suggestions from all in this case. @SergeyBiryukov @swissspidy

#8 @lev0
8 months ago

The plugin I wrote does not mitigate the annoyance @rajinsharwar mentions, but it still resolves the issue of WP unintentionally logging users out. Is there any support here for its logic be added to core?

I agree that being able to log someone out from a GET request is not great, but WP does need a way to force a users to re-authenticate, so how else could this be done?

Note: See TracTickets for help on using tickets.