Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#49395 closed defect (bug) (worksforme)

User authentication broken for usernames that include spaces (PHP bug #78929)

Reported by: codeguy's profile codeguy Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords:
Focuses: Cc:


PHP 7.4.2, released on January 20, 2020), includes a change such that PHP does NOT decode plus signs in cookie values when reading those values from $_COOKIE. See and

When a WordPress user has a space in her username, that space is url encoded to a plus sign by setcookie() when written to the HTTP header during POST /wp-login.php. The plus sign is not decoded back to a space by PHP, and prevents WordPress from properly finding and authenticating the user. The affected code is in wp-includes/pluggable.php:788 and in the wp_parse_auth_cookie() function.

Change History (9)

#1 @codeguy
4 years ago

Unsure if this should be fixed in WP core or in PHP. Looks like a related ticket is in progress on the PHP-side at

#2 @ocean90
4 years ago

  • Severity changed from critical to normal
  • Version 5.3.2 deleted

#3 @ocean90
4 years ago

#49366 was marked as a duplicate.

#4 @ocean90
4 years ago

Hello @codeguy, welcome to WordPress Trac!

Thanks for the report and the research. There's already a RC for 7.4.3 which should include the fix from

#5 @codeguy
4 years ago

Hi @ocean90! Happy to help. Looks like the easiest solution is to wait for 7.4.3 to be released. Thanks for looking into this :)

#6 @SergeyBiryukov
4 years ago

#49417 was marked as a duplicate.

#7 @homeworker
4 years ago

It' a bad habit allow username with spaces. Should be forbidden by WordPress.

#8 @ocean90
4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed

The fix was released in PHP 7.4.3 on Feb 20.

Last edited 4 years ago by ocean90 (previous) (diff)

#9 @natip100
4 years ago

Okay, the fix was initiated but users who were already registered with a space in their name still get a broken forgot password URL and users with spaces can still be registered. Seems like it has not been fixed.

Wordpress should offer an option (or even make it mandatory) that users not be allowed to be registered with a space.

Note: See TracTickets for help on using tickets.