Project

General

Profile

Actions

Bug #2811

closed

wp-login.php cookie restriction sometimes fails

Added by Boone Gorges over 10 years ago. Updated about 10 years ago.

Status:
Resolved
Priority name:
Normal
Assignee:
Category name:
WordPress (misc)
Target version:
Start date:
2013-10-02
Due date:
% Done:

0%

Estimated time:
Deployment actions:

Description

Hi Ray - I enabled the Cookies for Login plugin, and it seems to be working in my tests, but we've had at least one report the .htacc blocked what should've been a legitimate login. I was hoping we could use this space to talk over the possible points of failure.

From my understanding, the setup works like this. On 'init', the cookies-for-comments plugin creates a dynamically generated img file, whose sole purpose is to set a cookie with a certain key. The .htaccess rule then rejects any POST requests to wp-login.php that are not accompanied by the specified cookie header. (Actually, if using the .htaccess rule, it looks like your cookies-for-login plugin doesn't really do anything - is that right?) So, if someone is getting bounced against the .htaccess rule, there are a few possible culprits:

- The cookie is not being set, because the fake image is not being loaded. It looks like it's supposed to load at wp_footer, and it's possible that on some pages of the Commons (keeping in mind that we allow many themes, people can log in on their own blogs, etc) wp_footer is not being run
- The cookie is not being set, because cfc_set_comment_style_cookie() is not running. It seems to me that 'init' should always fire, but maybe I'm wrong about that? The plugin is network-activated.
- The cookie is being set, but with incorrect/inconsistent key. That is, it's supposed to be keyed using the cfc_key option, which I've then hardcoded into the .htaccess check. It looks to me like they match properly, but maybe this has gone awry somewhere?

For the moment, I'm going to disable the .htaccess restriction for wp-login.php on the live site.

Any thoughts you have about how to debug would be most welcome!

Actions

Also available in: Atom PDF