Make WordPress Core

Opened 4 months ago

Last modified 4 months ago

#60090 new defect (bug)

Double login with cloned wordpress instance

Reported by: vchn's profile vchn Owned by:
Milestone: Awaiting Review Priority: normal
Severity: major Version: 6.4.2
Component: Security Keywords:
Focuses: administration, privacy Cc:

Description

We use Flatsome theme, from cPanel, use WordPress Manager by Softaculous feature to clone a "live" wordpress to new "staging" website.

"live" one is in domain: something.edu.vn
"staging" one is in domain: stage.something.edu.vn
Both websites use single hosting, i.e no CDN installed.
As they are cloned from another, two sites have same config salf keys (SECURE_AUTH_SALT, AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY,AUTH_SALT,LOGGED_IN_SALT,NONCE_SALT)

Open staging site, log in with an admin user (e.x adminuser)
Open same browser new tab.
Browse "live" site, just refresh few times then we see that adminuser as logged in the "live" site.

Change History (6)

#1 follow-up: @dd32
4 months ago

Hi @vchn,

Can you confirm the following details?

  • You're not using any Authentication plugins
  • The cloned site is using a cloned database
  • The user is logged out before the cloning happens
  • Single or Multisite?
  • Is COOKIE_DOMAIN defined in the config?

This sounds like the expected behaviour to me at first. The URL is not part of the authentication, but is used for the cookies. If the cookies "leak" from the parent domain to the child staging domain (Which your browser is in control of - affected by COOKIE_DOMAIN constant too) and either a) The database is shared or b) The login occurs before the database is cloned, then with an exact replica of the main site a session would be able to be valid on both sites if all of the auth tokens in the database and configuration are the same.

#2 in reply to: ↑ 1 @vchn
4 months ago

Hi @dd32
+ No COOKIE_DOMAIN set in the config
+ We dont use any authentication plugin.
+ Now I can easily reproduce same issue:

  1. Log out both websites. Close browser
  2. Open browser, Log into "staging" site.
  3. Open new tab or new browser window (in normal mode, not Incognito).

Live site now also logged in with the same user.
Attach is full plugins list.
Image here https://www.evernote.com/shard/s271/sh/1b5f7a5c-cc41-4f10-9048-3452f18cefd3/hYum1U8q4Uz6NhkBYkJhnMsk7OYv9vptwD79GvOlIEZuwWuWQLQ1r2Ccig/deep/0/image.png

Replying to dd32:

Hi @vchn,

Can you confirm the following details?

  • You're not using any Authentication plugins
  • The cloned site is using a cloned database
  • The user is logged out before the cloning happens
  • Single or Multisite?
  • Is COOKIE_DOMAIN defined in the config?

This sounds like the expected behaviour to me at first. The URL is not part of the authentication, but is used for the cookies. If the cookies "leak" from the parent domain to the child staging domain (Which your browser is in control of - affected by COOKIE_DOMAIN constant too) and either a) The database is shared or b) The login occurs before the database is cloned, then with an exact replica of the main site a session would be able to be valid on both sites if all of the auth tokens in the database and configuration are the same.

#3 @dd32
4 months ago

Based on that, it sounds like it's using the same database (So it's just the disk files that are unique), and your site is configured to share cookies between the two domains, which would result in the behaviour you're seeing.

It's likely this is intentional from the cloning software you're using.

This ticket was mentioned in Slack in #core-performance by mukeshpanchal27. View the logs.


4 months ago

#5 @mukesh27
4 months ago

  • Focuses performance removed

Eliminate the Performance focus as it does not pertain to a performance issue.

#6 @vchn
4 months ago

@dd32
Two sites are on the same server, with different databases.

and your site is configured to share cookies between the two domains

Is this something controlled via wordpress admin setting or wp config? How to verify this option?

Note: See TracTickets for help on using tickets.