Make WordPress Core

Opened 12 months ago

Closed 2 weeks ago

#60090 closed defect (bug) (invalid)

Double login with cloned wordpress instance

Reported by: vchn's profile vchn Owned by:
Milestone: Priority: normal
Severity: major Version: 6.4.2
Component: Security Keywords:
Focuses: administration, privacy Cc:

Description

We use Flatsome theme, from cPanel, use WordPress Manager by Softaculous feature to clone a "live" wordpress to new "staging" website.

"live" one is in domain: something.edu.vn
"staging" one is in domain: stage.something.edu.vn
Both websites use single hosting, i.e no CDN installed.
As they are cloned from another, two sites have same config salf keys (SECURE_AUTH_SALT, AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY,AUTH_SALT,LOGGED_IN_SALT,NONCE_SALT)

Open staging site, log in with an admin user (e.x adminuser)
Open same browser new tab.
Browse "live" site, just refresh few times then we see that adminuser as logged in the "live" site.

Change History (7)

#1 follow-up: @dd32
12 months ago

Hi @vchn,

Can you confirm the following details?

  • You're not using any Authentication plugins
  • The cloned site is using a cloned database
  • The user is logged out before the cloning happens
  • Single or Multisite?
  • Is COOKIE_DOMAIN defined in the config?

This sounds like the expected behaviour to me at first. The URL is not part of the authentication, but is used for the cookies. If the cookies "leak" from the parent domain to the child staging domain (Which your browser is in control of - affected by COOKIE_DOMAIN constant too) and either a) The database is shared or b) The login occurs before the database is cloned, then with an exact replica of the main site a session would be able to be valid on both sites if all of the auth tokens in the database and configuration are the same.

#2 in reply to: ↑ 1 @vchn
12 months ago

Hi @dd32
+ No COOKIE_DOMAIN set in the config
+ We dont use any authentication plugin.
+ Now I can easily reproduce same issue:

  1. Log out both websites. Close browser
  2. Open browser, Log into "staging" site.
  3. Open new tab or new browser window (in normal mode, not Incognito).

Live site now also logged in with the same user.
Attach is full plugins list.
Image here https://www.evernote.com/shard/s271/sh/1b5f7a5c-cc41-4f10-9048-3452f18cefd3/hYum1U8q4Uz6NhkBYkJhnMsk7OYv9vptwD79GvOlIEZuwWuWQLQ1r2Ccig/deep/0/image.png

Replying to dd32:

Hi @vchn,

Can you confirm the following details?

  • You're not using any Authentication plugins
  • The cloned site is using a cloned database
  • The user is logged out before the cloning happens
  • Single or Multisite?
  • Is COOKIE_DOMAIN defined in the config?

This sounds like the expected behaviour to me at first. The URL is not part of the authentication, but is used for the cookies. If the cookies "leak" from the parent domain to the child staging domain (Which your browser is in control of - affected by COOKIE_DOMAIN constant too) and either a) The database is shared or b) The login occurs before the database is cloned, then with an exact replica of the main site a session would be able to be valid on both sites if all of the auth tokens in the database and configuration are the same.

#3 @dd32
12 months ago

Based on that, it sounds like it's using the same database (So it's just the disk files that are unique), and your site is configured to share cookies between the two domains, which would result in the behaviour you're seeing.

It's likely this is intentional from the cloning software you're using.

This ticket was mentioned in Slack in #core-performance by mukeshpanchal27. View the logs.


12 months ago

#5 @mukesh27
12 months ago

  • Focuses performance removed

Eliminate the Performance focus as it does not pertain to a performance issue.

#6 @vchn
12 months ago

@dd32
Two sites are on the same server, with different databases.

and your site is configured to share cookies between the two domains

Is this something controlled via wordpress admin setting or wp config? How to verify this option?

#7 @johnbillion
2 weeks ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

I'll close this off as it doesn't appear to be a problem in the core software, rather it's due to the way your hosting provider or control panel is cloning the site. If this is still and issue then your best course of action is to contact your web host about the issue.

Best of luck!

Note: See TracTickets for help on using tickets.