id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc,focuses 48119,Logout does not work when using cookie prefixes,lflobbe,,"When renaming the WordPress cookies to use the `__Host-` or `__Secure-` cookie prefix, logging out no longer works. The wp_clear_auth_cookie() function needs to use the ""Secure"" cookie flag to ensure that modern browsers will allow in to overwrite the login cookies when cookie prefixes are used. How to reproduce: 1. Use HTTPS 2. Set cookie prefixes in wp_config.php: {{{ if (@$_SERVER['HTTPS'] == 'on') { define( 'COOKIEHASH', md5( WP_HOME ) ); define( 'USER_COOKIE', '__Host-wpse_user_' . COOKIEHASH ); define( 'PASS_COOKIE', '__Host-wpse_pass_' . COOKIEHASH ); define( 'AUTH_COOKIE', '__Host-wpse_' . COOKIEHASH ); define( 'SECURE_AUTH_COOKIE', '__Host-wpse_sec_' . COOKIEHASH ); define( 'LOGGED_IN_COOKIE', '__Host-wpse_logged_in_' . COOKIEHASH ); define( 'TEST_COOKIE', '__Host-wpse_test_cookie' ); // __HOST- cookies MUST have their path set to / otherwise they will be ignored by the browser define( 'COOKIEPATH', '/' ); define( 'SITECOOKIEPATH', '/' ); define( 'ADMIN_COOKIE_PATH', '/' ); define( 'PLUGINS_COOKIE_PATH', '/' ); } }}} 3. Login 4. Try to logout. Inspect the cookies. Notice how the login cookies still have their original content and have not been overwritten. Solution: wp_clear_auth_cookie() needs to use the ""Secure"" cookie flag under all the same circumstances in which wp_set_auth_cookie() uses the ""Secure"" cookie flag. ",defect (bug),new,normal,Awaiting Review,Users,,normal,,,,