[wp-trac] [WordPress Trac] #50522: stop setting "older" cookies with multiple path prefixes

WordPress Trac noreply at wordpress.org
Tue Aug 8 14:31:05 UTC 2023 

#50522: stop setting "older" cookies with multiple path prefixes
------------------------------------+-----------------------------
 Reporter:  drzraf                  |       Owner:  (none)
     Type:  defect (bug)            |      Status:  new
 Priority:  normal                  |   Milestone:  6.4
Component:  Login and Registration  |     Version:  5.4.2
 Severity:  normal                  |  Resolution:
 Keywords:                          |     Focuses:  administration
------------------------------------+-----------------------------

Comment (by SergeyBiryukov):

 Thanks for the ticket and the patch!

 Some history here:
 * [6387] / #5367 introduced `wp_clear_auth_cookie()`.
 * [7998] / #7001 introduced `SECURE_AUTH_COOKIE`.
 * [8069] / #7001 introduced `LOGGED_IN_COOKIE`.
 * [8197] / #7001 added the cookies that are now in the "Old cookies"
 section.
 * [8209] / #7001 introduced `PLUGINS_COOKIE_PATH` and `ADMIN_COOKIE_PATH`.

 Looking at [attachment:"strip-cookies.2.patch"], I'm a bit confused by
 this conditional:
 {{{
 if ( strpos( PLUGINS_COOKIE_PATH, ADMIN_COOKIE_PATH ) !== 0 ) { ... }
 }}}

 By default, on a clean install the values are:
 {{{
 COOKIEPATH:          /
 ADMIN_COOKIE_PATH:   /wp-admin
 PLUGINS_COOKIE_PATH: /wp-content/plugins
 }}}

 Or, when installed in a subfolder:
 {{{
 COOKIEPATH:          /subfolder/
 ADMIN_COOKIE_PATH:   /subfolder/wp-admin
 PLUGINS_COOKIE_PATH: /subfolder/wp-content/plugins
 }}}

 So I'm not sure why we're comparing `PLUGINS_COOKIE_PATH` and
 `ADMIN_COOKIE_PATH` here, as they would always be different on a typical
 install. Is there a scenario where `ADMIN_COOKIE_PATH` is a subpath of
 `PLUGINS_COOKIE_PATH`?

 On a related note, we can use `str_starts_with()` instead of `strpos()`
 here, see #58012.

 > We can also observe that in most configurations, COOKIEPATH = /,
 ADMIN_COOKIE_PATH and SITECOOKIEPATH are either equal or a subpath of
 COOKIEPATH. As a consequence, these additional granular-path cookies are
 useless because the cookie is already set for the whole domain.

 Indeed, but it looks like `AUTH_COOKIE` and `SECURE_AUTH_COOKIE` are only
 set for `COOKIEPATH` in the "Old cookies" section, which this patch
 removes. I'm curious what the consequences of that could be, as well as
 what could happen if `wp_clear_auth_cookie()` no longer clears the "Even
 older cookies".

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50522#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list