Make WordPress Core

Opened 2 months ago

Last modified 6 weeks ago

#60801 new defect (bug)

New sessions are created when user authenticates but there already are active sessions

Reported by: robert681's profile robert681 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.4.3
Component: Login and Registration Keywords: has-testing-info
Focuses: administration Cc:

Description

The problem: When a user logs in to WordPress a new session is created. If the user opens a new browser tab and navigates to website/wp-admin, the user does not need to authenticate because of the session cookies are saved in the browser, which is the expected behaviour. The same happens even when the user closes the browser completely and reopens it within the duration of that session.

However, if the user navigates to the URL *website/wp-login.php* on the website they are already logged in, the user is presented with a login page, and upon authenticating WordPress creates a new session and new cookies etc, instead of "retrieving" the existing logged-in session.

How to reproduce:

  1. Log in to a WordPress website
  2. Open a new browser tab on the same browser (you can close the previous one)
  3. Navigate to the login page of the same website you are already logged in to: *website/wp-login.php*
  4. Log in

At this point there are two different sessions for the same user in the database and in the browser the user has multiple sets of cookies for the different sessions.

The issues this causes:

  1. Excessive amount of unnecessary session data in the database. We've seen some large websites with tens of thousands of session entries in the database.
  2. Site admins who try to control / limit / manage the number of simultaneous user sessions with third party plugins end up having a lot of problems, such as locking out legit users etc

Possible solution?: There are a few possible solutions, however, the easiest one we can think of is to check for session cookies in the users' browsers whenever they access the *wp-login.php*, and if there are, retrieve that session.

Change History (4)

#1 @SergeyBiryukov
2 months ago

Hi there, welcome to WordPress Trac! Thanks for the ticket.

Just linking to a few related tickets here: #14949, #40768, #47088.

This ticket was mentioned in Slack in #core-test by ankit-k-gupta. View the logs.


2 months ago

#3 @Ankit K Gupta
2 months ago

  • Keywords has-testing-info added

#4 @rajinsharwar
6 weeks ago

Hi @robert681, let's continue the discussion on #14949

Note: See TracTickets for help on using tickets.