[wp-trac] [WordPress Trac] #60801: New sessions are created when user authenticates but there already are active sessions
WordPress Trac
noreply at wordpress.org
Mon Mar 18 18:28:42 UTC 2024
#60801: New sessions are created when user authenticates but there already are
active sessions
------------------------------------+-----------------------------
Reporter: robert681 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: 6.4.3
Severity: normal | Keywords:
Focuses: administration |
------------------------------------+-----------------------------
**The problem:** When a user logs in to WordPress a new session is
created. If the user opens a new browser tab and navigates to website/wp-
admin, the user does not need to authenticate because of the session
cookies are saved in the browser, which is the expected behaviour. The
same happens even when the user closes the browser completely and reopens
it within the duration of that session.
However, if the user navigates to the URL *website/wp-login.php* on the
website they are already logged in, the user is presented with a login
page, and upon authenticating WordPress creates a new session and new
cookies etc, instead of "retrieving" the existing logged-in session.
**How to reproduce:**
1. Log in to a WordPress website
2. Open a new browser tab on the same browser (you can close the previous
one)
3. Navigate to the login page of the same website you are already logged
in to: *website/wp-login.php*
4. Log in
At this point there are two different sessions for the same user in the
database and in the browser the user has multiple sets of cookies for the
different sessions.
**The issues this causes:**
1. Excessive amount of unnecessary session data in the database. We've
seen some large websites with tens of thousands of session entries in the
database.
2. Site admins who try to control / limit / manage the number of
simultaneous user sessions with third party plugins end up having a lot of
problems, such as locking out legit users etc
**Possible solution?:** There are a few possible solutions, however, the
easiest one we can think of is to check for session cookies in the users'
browsers whenever they access the *wp-login.php*, and if there are,
retrieve that session.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/60801>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list