WordPress.org

Make WordPress Core

Opened 3 weeks ago

Last modified 3 weeks ago

#48119 new defect (bug)

Logout does not work when using cookie prefixes

Reported by: lflobbe Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Users Keywords:
Focuses: Cc:
PR Number:

Description (last modified by johnbillion)

When renaming the WordPress cookies to use the __Host- or __Secure- cookie prefix, logging out no longer works. The wp_clear_auth_cookie() function needs to use the "Secure" cookie flag to ensure that modern browsers will allow in to overwrite the login cookies when cookie prefixes are used.

How to reproduce:

  1. Use HTTPS
  2. Set cookie prefixes in wp_config.php:
    if (@$_SERVER['HTTPS'] == 'on') {
      define( 'COOKIEHASH',           md5( WP_HOME ) ); 
      define( 'USER_COOKIE',          '__Host-wpse_user_'      . COOKIEHASH );
      define( 'PASS_COOKIE',          '__Host-wpse_pass_'      . COOKIEHASH );
      define( 'AUTH_COOKIE',          '__Host-wpse_'           . COOKIEHASH );
      define( 'SECURE_AUTH_COOKIE',   '__Host-wpse_sec_'       . COOKIEHASH );
      define( 'LOGGED_IN_COOKIE',     '__Host-wpse_logged_in_' . COOKIEHASH );
      define( 'TEST_COOKIE',          '__Host-wpse_test_cookie'             );
      // __HOST- cookies MUST have their path set to / otherwise they will be ignored by the browser
      define( 'COOKIEPATH',           '/' );
      define( 'SITECOOKIEPATH',       '/' );
      define( 'ADMIN_COOKIE_PATH',    '/' );
      define( 'PLUGINS_COOKIE_PATH',  '/' );
    }
    
  1. Login
  2. Try to logout. Inspect the cookies. Notice how the login cookies still have their original content and have not been overwritten.

Solution:
wp_clear_auth_cookie() needs to use the "Secure" cookie flag under all the same circumstances in which wp_set_auth_cookie() uses the "Secure" cookie flag.

Change History (2)

#1 @johnbillion
3 weeks ago

  • Description modified (diff)
  • Version trunk deleted

#2 @SergeyBiryukov
3 weeks ago

  • Component changed from General to Users
Note: See TracTickets for help on using tickets.