Opened 12 months ago
Closed 2 weeks ago
#60090 closed defect (bug) (invalid)
Double login with cloned wordpress instance
Reported by: | vchn | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | major | Version: | 6.4.2 |
Component: | Security | Keywords: | |
Focuses: | administration, privacy | Cc: |
Description
We use Flatsome theme, from cPanel, use WordPress Manager by Softaculous feature to clone a "live" wordpress to new "staging" website.
"live" one is in domain: something.edu.vn
"staging" one is in domain: stage.something.edu.vn
Both websites use single hosting, i.e no CDN installed.
As they are cloned from another, two sites have same config salf keys (SECURE_AUTH_SALT, AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY,AUTH_SALT,LOGGED_IN_SALT,NONCE_SALT)
Open staging site, log in with an admin user (e.x adminuser)
Open same browser new tab.
Browse "live" site, just refresh few times then we see that adminuser as logged in the "live" site.
Change History (7)
#2
in reply to:
↑ 1
@
12 months ago
Hi @dd32
+ No COOKIE_DOMAIN set in the config
+ We dont use any authentication plugin.
+ Now I can easily reproduce same issue:
- Log out both websites. Close browser
- Open browser, Log into "staging" site.
- Open new tab or new browser window (in normal mode, not Incognito).
Live site now also logged in with the same user.
Attach is full plugins list.
Image here https://www.evernote.com/shard/s271/sh/1b5f7a5c-cc41-4f10-9048-3452f18cefd3/hYum1U8q4Uz6NhkBYkJhnMsk7OYv9vptwD79GvOlIEZuwWuWQLQ1r2Ccig/deep/0/image.png
Replying to dd32:
Hi @vchn,
Can you confirm the following details?
- You're not using any Authentication plugins
- The cloned site is using a cloned database
- The user is logged out before the cloning happens
- Single or Multisite?
- Is
COOKIE_DOMAIN
defined in the config?This sounds like the expected behaviour to me at first. The URL is not part of the authentication, but is used for the cookies. If the cookies "leak" from the parent domain to the child staging domain (Which your browser is in control of - affected by
COOKIE_DOMAIN
constant too) and either a) The database is shared or b) The login occurs before the database is cloned, then with an exact replica of the main site a session would be able to be valid on both sites if all of the auth tokens in the database and configuration are the same.
#3
@
12 months ago
Based on that, it sounds like it's using the same database (So it's just the disk files that are unique), and your site is configured to share cookies between the two domains, which would result in the behaviour you're seeing.
It's likely this is intentional from the cloning software you're using.
This ticket was mentioned in Slack in #core-performance by mukeshpanchal27. View the logs.
12 months ago
#5
@
12 months ago
- Focuses performance removed
Eliminate the Performance
focus as it does not pertain to a performance issue.
#6
@
12 months ago
@dd32
Two sites are on the same server, with different databases.
and your site is configured to share cookies between the two domains
Is this something controlled via wordpress admin setting or wp config? How to verify this option?
#7
@
2 weeks ago
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from new to closed
I'll close this off as it doesn't appear to be a problem in the core software, rather it's due to the way your hosting provider or control panel is cloning the site. If this is still and issue then your best course of action is to contact your web host about the issue.
Best of luck!
Hi @vchn,
Can you confirm the following details?
COOKIE_DOMAIN
defined in the config?This sounds like the expected behaviour to me at first. The URL is not part of the authentication, but is used for the cookies. If the cookies "leak" from the parent domain to the child staging domain (Which your browser is in control of - affected by
COOKIE_DOMAIN
constant too) and either a) The database is shared or b) The login occurs before the database is cloned, then with an exact replica of the main site a session would be able to be valid on both sites if all of the auth tokens in the database and configuration are the same.