WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

#7521 closed defect (bug) (fixed)

wp_validate_auth_cookie ignore $scheme parameter when $cookie value is empty

Reported by: bendalton Owned by:
Milestone: 2.7 Priority: normal
Severity: major Version: 2.6
Component: General Keywords: bbPress cookie
Focuses: Cc:

Description

in pluggable.php, wp_validate_auth_cookie ignore $scheme parameter when $cookie value is empty. This breaks the use case when you want to validate a users cookie with the scheme 'logged_in'.

This breaks any plugins that use this functionality, specifically bbPress 1.0alpha.

Attachments (3)

patch.diff (896 bytes) - added by bendalton 7 years ago.
Fixes the function to use the $scheme parameter when validating user cookies
patch2.diff (1.3 KB) - added by bendalton 7 years ago.
Patch fixes bug but also preserves if_ssl() cookie name in the case that no $scheme is provided
2.7.diff (1.1 KB) - added by bendalton 7 years ago.
Patched to fix bug on most recent revision (8724)

Download all attachments as: .zip

Change History (12)

@bendalton7 years ago

Fixes the function to use the $scheme parameter when validating user cookies

comment:1 @bendalton7 years ago

  • Owner changed from Ben Dalton to bendalton
  • Status changed from new to assigned

comment:2 @bendalton7 years ago

  • Owner bendalton deleted
  • Status changed from assigned to new

comment:3 @bendalton7 years ago

I attached a working and semi-tested patch. (it shouldn't break anything and I haven't seen any problems)

comment:4 @ryan7 years ago

  • Milestone changed from 2.6.1 to 2.7

Too late for 2.6.1.

comment:5 @ryan7 years ago

Some places rely on the current behavior where the scheme is guessed when the cookie is empty. Perhaps we can default the scheme to empty and use an empty scheme to signal that the scheme should be guessed based on is_ssl().

@bendalton7 years ago

Patch fixes bug but also preserves if_ssl() cookie name in the case that no $scheme is provided

comment:6 @bendalton7 years ago

ryan: that makes sense... I attached a new diff with that functionality preserved

comment:7 @ryan7 years ago

Looks good. Let me do some testing and then I'll commit.

@bendalton7 years ago

Patched to fix bug on most recent revision (8724)

comment:8 @bendalton7 years ago

Okay, it looks like someone else committed changes first. Anyway their changes still leave the cookie validation broken. I've submitted yet another patch.

comment:9 @ryan7 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [8731]) Don't ignore scheme when cookie value is empty. Props bendalton. fixes #7521

Note: See TracTickets for help on using tickets.