[wp-hackers] Understanding some interactions between cookies, sessions, nonces, multisite...

David Anderson david at wordshell.net
Mon Sep 22 12:28:28 UTC 2014


I just spent a *very* dull few hours tracing a problem, whereby 
wp_create_nonce() returned a nonce which wp_verify_nonce() (running via 
AJAX) did not accept.

This happened as follows:

1) the site was a sub-folder based multisite

2) the nonce was created by a page in the network dashboard, at 
wp-admin/network/settings.php, and output in some JS on the settings page.

3) the ajaxurl JS variable being output by wp-admin/admin-header.php 
goes via the main site which in this case lived at /main, and thus 
ajaxurl was set to wp-admin/main/admin-ajax.url

4) The browser had a different wordpress_logged_in_(hex) cookie value 
for /main than for /. i.e. Two separate cookies existed in the browser. 
(The value of (hex) was the same - i.e. neither cookie lookup was empty).

5) This resulted in wp_get_session_token() returning a different value 
when the nonce was checked (via AJAX, which got the cookie whose path 
was set to /main) compared to when it was set (via the network dashboard 
page, which got the cookie whose path was set to /).

I cleared all my cookies, and logged in via /wp-login.php again. Same 
happened. Both cookies returned.

This site had this in its wp-config.php:

define('ADMIN_COOKIE_PATH', '/');
define('COOKIE_DOMAIN', '');
define('COOKIEPATH', '');
define('SITECOOKIEPATH', '');

After removing those lines, clearing cookies, and logging in again, 
there was only one cookie, and everything worked.

This only breaks things on recent WP versions where 
wp_get_session_token() is used in nonces.

I'm familiar with AJAX and nonces, but WP's login stuff is not something 
I'm familiar with.
The questions I don't understand the answers too are:

1) Why my customer might have had those defines in his wp-config.php, and
2) Why this breaks things in this way, and
3) Is this a bug?

Best wishes,
David

-- 
UpdraftPlus - best WordPress backups - http://updraftplus.com
WordShell - WordPress fast from the CLI - http://wordshell.net



More information about the wp-hackers mailing list