[wp-trac] [WordPress Trac] #39497: Can't log out completely without closing my browser

WordPress Trac noreply at wordpress.org
Tue Feb 14 15:59:28 UTC 2017 

#39497: Can't log out completely without closing my browser
--------------------------+------------------------------
 Reporter:  davidmlentz   |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  General       |     Version:  4.7
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:
--------------------------+------------------------------

Comment (by birgire):

 I can also confirm this on a single network multisite with subfolders (not
 subdomain).

 Additionally I store the WordPress core in it's own subfolder

     /wp
     /wp-content
     index.php
     wp-config.php

 Just got flooded with user notices after upgrading from 4.6.x -> 4.7.x
 where users:

  - were not able to preview drafts - Not found 404 status
  - have to log into each subsite separately
  - can't logout because of 403 status from {{{wp_nonce_ays()}}} (ays = are
 you sure)
  - admin bar not visible on the frontend because {{{is_user_logged_in()}}}
 is false on the frontend
  - nonce verification problems

 These issues seems to be all connected.

 Let's compare the {{{wp_cookie_constants()}}} in WP version 4.6.3:
 {{{
 /**
  * Used to guarantee unique hash cookies
  *
  * @since 1.5.0
  */
 if ( !defined( 'COOKIEHASH' ) ) {
         $siteurl = get_site_option( 'siteurl' );
         if ( $siteurl )
                 define( 'COOKIEHASH', md5( $siteurl ) );
         else
                 define( 'COOKIEHASH', '' );
 }

 }}}

 and in version 4.7.3:

 {{{

 /**
  * Used to guarantee unique hash cookies
  *
  * @since 1.5.0
  */
 if ( !defined( 'COOKIEHASH' ) ) {
         $siteurl = get_site_option( 'siteurl' );

         if ( $siteurl )
                 define( 'COOKIEHASH', md5( $siteurl ) );
         else
                 define( 'COOKIEHASH', md5( wp_guess_url() ) );
 }
 }}}

 where we see that empty string {{{''}}} has been replaced with
 {{{wp_guess_url()}}}.

 On my install the

 {{{
 get_site_option( 'siteurl' )
 }}}

 seems to be empty and {{{COOKIEHASH}}} not manually defined.

 So the problematic line for my install seems to be this one:

 {{{
 define( 'COOKIEHASH', md5( wp_guess_url() ) );
 }}}

 because on the front-end it's
 {{{
 http://example.tld/wp
 }}}

 but within the backend it's
 {{{
 http://example.tld
 }}}
 resulting in two different cookie hashes.

 To avoid it we can either define in {{{wp-config.php}}}:

 {{{
 define( 'COOKIEHASH', md5( 'http://example.tld' ) );
 }}}

 or as suggested by @fwdcar to define {{{WP_SITEURL}}} that circumwents the
 url guessing in {{{wp_guess_url()}}}.

 Hope it helps.

 ps: Next I should probably investigate why {{{get_site_option( 'siteurl'
 )}}} is empty.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/39497#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list