[wp-hackers] wordpress_logged_in_HASH

Nikola Nikolov nikolov.tmw at gmail.com
Tue Feb 16 09:43:37 UTC 2016

Well, I believe that there's a reason why some cookies are httpOnly and not
accessible via JavaScript(security comes to mind?).

A way around this would be to add some other flag within your DOM or
otherwise JS-accessible that the current visitor is a logged-in user. Not
sure if it's WordPress that does that, but with Twenty Fourteen, the body
gets a class of "logged-in" so you can easily check that. Alternatively you
can either hook to 'wp_head' or 'wp_footer' and render your own <script>
tag with a variable in it, or you can use wp_localize_script() to again
pass something from PHP to JS.

The browser shows you the cookies, because it's the browser and it has
control of everything(plus it has to take those cookies to the server with
every request, right?). The specifications don't allow JavaScript to access
httpOnly cookies and I don't think anyone would build a browser that
doesn't follow that specification.

On Tue, 16 Feb 2016 at 06:24 Haluk Karamete <halukkaramete at gmail.com> wrote:

> document.cookie does not report/contain the wordpress cookie starting with
> the prefix "wordpress_logged_in_" followed by a hash.
> This is most likely, it is an httpOnly cookie.
> But it surely shows up on the chrome->dev-console->resources->cookies
> Is there a JavaScript way to know whether that cookie is there or not?
> It would be there, it the user logged in, and if would not be there, if the
> user logged out, or that cookie has expired.
> If document.cookie reported all the names of the cookie, this would not
> have been an issue.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list