Opened 10 months ago
Last modified 10 months ago
#60090 new defect (bug)
Double login with cloned wordpress instance
Reported by: | vchn | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | major | Version: | 6.4.2 |
Component: | Security | Keywords: | |
Focuses: | administration, privacy | Cc: |
Description
We use Flatsome theme, from cPanel, use WordPress Manager by Softaculous feature to clone a "live" wordpress to new "staging" website.
"live" one is in domain: something.edu.vn
"staging" one is in domain: stage.something.edu.vn
Both websites use single hosting, i.e no CDN installed.
As they are cloned from another, two sites have same config salf keys (SECURE_AUTH_SALT, AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY,AUTH_SALT,LOGGED_IN_SALT,NONCE_SALT)
Open staging site, log in with an admin user (e.x adminuser)
Open same browser new tab.
Browse "live" site, just refresh few times then we see that adminuser as logged in the "live" site.
Change History (6)
#2
in reply to:
↑ 1
@
10 months ago
Hi @dd32
+ No COOKIE_DOMAIN set in the config
+ We dont use any authentication plugin.
+ Now I can easily reproduce same issue:
- Log out both websites. Close browser
- Open browser, Log into "staging" site.
- Open new tab or new browser window (in normal mode, not Incognito).
Live site now also logged in with the same user.
Attach is full plugins list.
Image here https://www.evernote.com/shard/s271/sh/1b5f7a5c-cc41-4f10-9048-3452f18cefd3/hYum1U8q4Uz6NhkBYkJhnMsk7OYv9vptwD79GvOlIEZuwWuWQLQ1r2Ccig/deep/0/image.png
Replying to dd32:
Hi @vchn,
Can you confirm the following details?
- You're not using any Authentication plugins
- The cloned site is using a cloned database
- The user is logged out before the cloning happens
- Single or Multisite?
- Is
COOKIE_DOMAIN
defined in the config?This sounds like the expected behaviour to me at first. The URL is not part of the authentication, but is used for the cookies. If the cookies "leak" from the parent domain to the child staging domain (Which your browser is in control of - affected by
COOKIE_DOMAIN
constant too) and either a) The database is shared or b) The login occurs before the database is cloned, then with an exact replica of the main site a session would be able to be valid on both sites if all of the auth tokens in the database and configuration are the same.
#3
@
10 months ago
Based on that, it sounds like it's using the same database (So it's just the disk files that are unique), and your site is configured to share cookies between the two domains, which would result in the behaviour you're seeing.
It's likely this is intentional from the cloning software you're using.
Hi @vchn,
Can you confirm the following details?
COOKIE_DOMAIN
defined in the config?This sounds like the expected behaviour to me at first. The URL is not part of the authentication, but is used for the cookies. If the cookies "leak" from the parent domain to the child staging domain (Which your browser is in control of - affected by
COOKIE_DOMAIN
constant too) and either a) The database is shared or b) The login occurs before the database is cloned, then with an exact replica of the main site a session would be able to be valid on both sites if all of the auth tokens in the database and configuration are the same.