Double login with cloned wordpress instance

[vchn]

We use Flatsome theme, from cPanel, use WordPress Manager by Softaculous feature to clone a "live" wordpress to new "staging" website.

"live" one is in domain: something.edu.vn
"staging" one is in domain: stage.something.edu.vn
Both websites use single hosting, i.e no CDN installed.
As they are cloned from another, two sites have same config salf keys (SECURE_AUTH_SALT, AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY,AUTH_SALT,LOGGED_IN_SALT,NONCE_SALT)

Open staging site, log in with an admin user (e.x adminuser)
Open same browser new tab.
Browse "live" site, just refresh few times then we see that adminuser as logged in the "live" site.

[dd32]

Hi @vchn,

Can you confirm the following details?

• You're not using any Authentication plugins
• The cloned site is using a cloned database
• The user is logged out before the cloning happens
• Single or Multisite?
• Is COOKIE_DOMAIN defined in the config?

This sounds like the expected behaviour to me at first. The URL is not part of the authentication, but is used for the cookies. If the cookies "leak" from the parent domain to the child staging domain (Which your browser is in control of - affected by COOKIE_DOMAIN constant too) and either a) The database is shared or b) The login occurs before the database is cloned, then with an exact replica of the main site a session would be able to be valid on both sites if all of the auth tokens in the database and configuration are the same.

[vchn]

Hi @dd32
+ No COOKIE_DOMAIN set in the config
+ We dont use any authentication plugin.
+ Now I can easily reproduce same issue:

1. Log out both websites. Close browser
2. Open browser, Log into "staging" site.
3. Open new tab or new browser window (in normal mode, not Incognito).

Live site now also logged in with the same user.
Attach is full plugins list.
Image here ​https://www.evernote.com/shard/s271/sh/1b5f7a5c-cc41-4f10-9048-3452f18cefd3/hYum1U8q4Uz6NhkBYkJhnMsk7OYv9vptwD79GvOlIEZuwWuWQLQ1r2Ccig/deep/0/image.png

Replying to dd32:

Hi @vchn,

Can you confirm the following details?

• You're not using any Authentication plugins
• The cloned site is using a cloned database
• The user is logged out before the cloning happens
• Single or Multisite?
• Is COOKIE_DOMAIN defined in the config?

This sounds like the expected behaviour to me at first. The URL is not part of the authentication, but is used for the cookies. If the cookies "leak" from the parent domain to the child staging domain (Which your browser is in control of - affected by COOKIE_DOMAIN constant too) and either a) The database is shared or b) The login occurs before the database is cloned, then with an exact replica of the main site a session would be able to be valid on both sites if all of the auth tokens in the database and configuration are the same.

[dd32]

Based on that, it sounds like it's using the same database (So it's just the disk files that are unique), and your site is configured to share cookies between the two domains, which would result in the behaviour you're seeing.

It's likely this is intentional from the cloning software you're using.

[mukesh27]

Eliminate the Performance focus as it does not pertain to a performance issue.

[vchn]

@dd32
Two sites are on the same server, with different databases.

and your site is configured to share cookies between the two domains

Is this something controlled via wordpress admin setting or wp config? How to verify this option?