WordPress.org

Make WordPress Core

Opened 3 months ago

Last modified 3 months ago

#50522 new defect (bug)

stop setting "older" cookies with multiple path prefixes

Reported by: drzraf Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.4.2
Component: Login and Registration Keywords:
Focuses: administration Cc:

Description

According to wp_clear_auth_cookie(),

<?php
// Auth cookies.
setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, ADMIN_COOKIE_PATH, COOKIE_DOMAIN );
setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, ADMIN_COOKIE_PATH, COOKIE_DOMAIN );
setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN );
setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN );
setcookie( LOGGED_IN_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
setcookie( LOGGED_IN_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );

// Settings cookies.
setcookie( 'wp-settings-' . get_current_user_id(), ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH );
setcookie( 'wp-settings-time-' . get_current_user_id(), ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH );

// Old cookies.
setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );

// Even older cookies.
setcookie( USER_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
setcookie( PASS_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );
setcookie( USER_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );
setcookie( PASS_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN );

// Post password cookie.
setcookie( 'wp-postpass_' . COOKIEHASH, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN );

Which usually means 19 cookies for a login. This itself may represent up to 2.4 kB of header size for that sole purpose. (Let's remind that many reverse-proxy has arbitrary limitation. Eg: HTTP2 push on Cloudflare at 3kB)

An obvious first question is why decade-old cookies are still set instead of the minimal 11 cookies.

We can also observe that in most configurations, COOKIEPATH = /, ADMIN_COOKIE_PATH and SITECOOKIEPATH are either equal or a subpath of COOKIEPATH. As a consequence, these additional granular-path cookies are useless because the cookie is already set for the whole domain. This could further remove 2 or 3 cookies.

Couldn't this be number of cookies halved?

Attachments (2)

strip-cookies.patch (2.4 KB) - added by drzraf 3 months ago.
strip cookies example patch
strip-cookies.2.patch (2.4 KB) - added by drzraf 2 months ago.

Download all attachments as: .zip

Change History (3)

@drzraf
3 months ago

strip cookies example patch

#1 @SergeyBiryukov
3 months ago

  • Component changed from Administration to Login and Registration
Note: See TracTickets for help on using tickets.