[wp-trac] [WordPress Trac] #29889: Login redirect to login page even if authenticated

WordPress Trac noreply at wordpress.org
Sat Dec 12 20:36:17 UTC 2020 

#29889: Login redirect to login page even if authenticated
-------------------------------------------------+-------------------------
 Reporter:  sgissinger                           |       Owner:  (none)
     Type:  defect (bug)                         |      Status:  new
 Priority:  normal                               |   Milestone:  Awaiting
                                                 |  Review
Component:  Login and Registration               |     Version:  3.9.2
 Severity:  normal                               |  Resolution:
 Keywords:  reporter-feedback needs-testing      |     Focuses:
  close                                          |
-------------------------------------------------+-------------------------

Old description:

> We use Wordpress in a private manner with use of '''login_redirect'''
> filter which is applied in the following code in file '''wp-login.php'''
> on line 777.
>
> {{{
> if ( empty( $_COOKIE[ LOGGED_IN_COOKIE ] ) ) {
>     if ( headers_sent() ) {
>         $user = new WP_Error( 'test_cookie', sprintf( __(
> '<strong>ERROR</strong>: Cookies are blocked due to unexpected output.
> For help, please see <a href="%1$s">this documentation</a> or try the <a
> href="%2$s">support forums</a>.' ),
>             __( 'http://codex.wordpress.org/Cookies' ), __(
> 'https://wordpress.org/support/' ) ) );
>     } elseif ( isset( $_POST['testcookie'] ) && empty( $_COOKIE[
> TEST_COOKIE ] ) ) {
>         // If cookies are disabled we can't log in even with a valid
> user+pass
>         $user = new WP_Error( 'test_cookie', sprintf( __(
> '<strong>ERROR</strong>: Cookies are blocked or not supported by your
> browser. You must <a href="%s">enable cookies</a> to use WordPress.' ),
>             __( 'http://codex.wordpress.org/Cookies' ) ) );
>     }
> }
>
> $requested_redirect_to = isset( $_REQUEST['redirect_to'] ) ?
> $_REQUEST['redirect_to'] : '';
> /**
>  * Filter the login redirect URL.
>  *
>  * @since 3.0.0
>  *
>  * @param string           $redirect_to           The redirect
> destination URL.
>  * @param string           $requested_redirect_to The requested redirect
> destination URL passed as a parameter.
>  * @param WP_User|WP_Error $user                  WP_User object if login
> was successful, WP_Error object otherwise.
>  */
> $redirect_to = apply_filters( 'login_redirect', $redirect_to,
> $requested_redirect_to, $user );
> }}}
>
> According to this, we use '''$user''' parameter in '''login_redirect'''
> filter to do some stuff.
>
> == Issue ==
> After a first log in attempt with good credentials, '''$user''' is a
> '''WP_Error''' which isn't normal.
> And when '''$user''' is a '''WP_Error''' my custom filter do redirect to
> login URL.
>
> Then I try to log in a second time just after the first one with the same
> credentials.
> In this second attempt, '''$user''' is a '''WP_User''', my custom filter
> do not redirect to login URL and everything works as expected.
>

> == Additional Information ==
> === Complement 1 ===
> After the first login, if I reach home URL (which is very different from
> login URL), I notice that I was successfully authenticated even if I was
> redirected to login URL by my custom filter.
>

> === Complement 2 ===
> It seems to happen after my browser started, subsequent logins even with
> different credentials works fine at the first time.
> If I restart my browser, this issue occurs and I'm redirected after first
> log in attempt.
>

> === Complement 3 ===
> Before our 3.9.2 update we were using 3.6.1 which handled this cookie
> check differently and did not overriden '''$user''' object.
>
> == Workaround ==
> We completely commented these lines and everything now works fine even
> with my custom '''login_redirect''' filter.
>

> Best

New description:

 We use WordPress in a private manner with use of '''login_redirect'''
 filter which is applied in the following code in file '''wp-login.php'''
 on line 777.

 {{{
 if ( empty( $_COOKIE[ LOGGED_IN_COOKIE ] ) ) {
     if ( headers_sent() ) {
         $user = new WP_Error( 'test_cookie', sprintf( __(
 '<strong>ERROR</strong>: Cookies are blocked due to unexpected output. For
 help, please see <a href="%1$s">this documentation</a> or try the <a
 href="%2$s">support forums</a>.' ),
             __( 'http://codex.wordpress.org/Cookies' ), __(
 'https://wordpress.org/support/' ) ) );
     } elseif ( isset( $_POST['testcookie'] ) && empty( $_COOKIE[
 TEST_COOKIE ] ) ) {
         // If cookies are disabled we can't log in even with a valid
 user+pass
         $user = new WP_Error( 'test_cookie', sprintf( __(
 '<strong>ERROR</strong>: Cookies are blocked or not supported by your
 browser. You must <a href="%s">enable cookies</a> to use WordPress.' ),
             __( 'http://codex.wordpress.org/Cookies' ) ) );
     }
 }

 $requested_redirect_to = isset( $_REQUEST['redirect_to'] ) ?
 $_REQUEST['redirect_to'] : '';
 /**
  * Filter the login redirect URL.
  *
  * @since 3.0.0
  *
  * @param string           $redirect_to           The redirect destination
 URL.
  * @param string           $requested_redirect_to The requested redirect
 destination URL passed as a parameter.
  * @param WP_User|WP_Error $user                  WP_User object if login
 was successful, WP_Error object otherwise.
  */
 $redirect_to = apply_filters( 'login_redirect', $redirect_to,
 $requested_redirect_to, $user );
 }}}

 According to this, we use '''$user''' parameter in '''login_redirect'''
 filter to do some stuff.

 == Issue ==
 After a first log in attempt with good credentials, '''$user''' is a
 '''WP_Error''' which isn't normal.
 And when '''$user''' is a '''WP_Error''' my custom filter do redirect to
 login URL.

 Then I try to log in a second time just after the first one with the same
 credentials.
 In this second attempt, '''$user''' is a '''WP_User''', my custom filter
 do not redirect to login URL and everything works as expected.


 == Additional Information ==
 === Complement 1 ===
 After the first login, if I reach home URL (which is very different from
 login URL), I notice that I was successfully authenticated even if I was
 redirected to login URL by my custom filter.


 === Complement 2 ===
 It seems to happen after my browser started, subsequent logins even with
 different credentials works fine at the first time.
 If I restart my browser, this issue occurs and I'm redirected after first
 log in attempt.


 === Complement 3 ===
 Before our 3.9.2 update we were using 3.6.1 which handled this cookie
 check differently and did not overriden '''$user''' object.

 == Workaround ==
 We completely commented these lines and everything now works fine even
 with my custom '''login_redirect''' filter.


 Best

--

Comment (by hellofromTonya):

 Hello @sgissinger,

 Is this still an issue for you?

 The ticket is marked for `close` as John was unable to reproduce. Before
 closing, I wanted to check in with you. Please advise.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/29889#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list