[wp-trac] [WordPress Trac] #17728: User loses logged_in cookie but not other auth cookies

WordPress Trac wp-trac at lists.automattic.com
Wed Jun 8 21:20:47 UTC 2011 

#17728: User loses logged_in cookie but not other auth cookies
----------------------------+------------------------------
 Reporter:  mintindeed      |       Owner:
     Type:  defect (bug)    |      Status:  new
 Priority:  normal          |   Milestone:  Awaiting Review
Component:  Administration  |     Version:  3.1.2
 Severity:  normal          |  Resolution:
 Keywords:                  |
----------------------------+------------------------------

Comment (by mintindeed):

 Replying to [comment:2 nacin]:
 > One cookie -- for wp-content/plugins -- is for compatibility, see
 [8209].
 >
 > Separating the other two are important. The admin cookie would normally
 handle the entire site, but for security purposes this privileged cookie
 is restricted to /wp-admin/. Thus the generic logged-in unprivileged
 cookie handles the frontend. It actually doesn't have to do with SSL,
 which introduces additional complexity all on tis own.

 I see, that makes more sense.


 > > we have worked with WP support to resolve it
 >
 > Link? Or are you referring to WordPress.com, the separate hosted
 service?

 Whoops, I meant WP VIP support.  batmoo there suggested I check in here.


 > With regards to the bug, not a clue what would cause this. We set and
 destruct these cookies all at the same time. That said, we could check for
 the existence of wordpress_logged_in_* on the backend, and set it if for
 some reason it is missing.
 > Couldn't do it the other way around of course, as that defeats the
 purpose of the security measures.

 I was thinking along the same lines, but it's worrying to just re-create
 it without actually understanding why it went missing.

 Good to know that wp_clear_auth_cookie() and wp_set_auth_cookie() are the
 only places these cookies are written or removed.  That makes it unlikely
 that anything in core is causing this issue.

 We have put in some cookie logging on one of our sites, and will be
 rolling it out to the rest soon.  Hopefully with ~30+ editors over a few
 different domains, if this is a recurring problem we'll see it happen
 again and be able to learn more.

 Thanks for weighing in.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/17728#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list