It came up without requiring any password. Is this a bug?
I’d call it a “cookie” 😉
Is there some way to prevent the password from being saved in a cookie? I know that my passwords aren’t saved when I enter a lot of the sites I work with, like vanguard.com or Chase.com or citibank.com or paypal.com. A cookie to access confidential data should not be left on any computer. A casual user of a publically available computer could allow a subsequent user to access the data.
I am not a cookie wizard but there should be a possibility to set the expire time of the cookie.
Maybe someone else can help or in the meantime you could try a search.
If I knew how or where wordpress sets the cookie, I might be able to disable the command to create the cookie in the first place, or to make it expire in 10 minutes instead of a year. The codex refers to only two cookies, related to the sign-in username and password, but this is obviously another cookie, because it is not destroyed when I sign out. The codex says that the others are destroyed when you sign out.
It would seem that someone could create a script that sends the user to the login page anytime he tries to access the protected page and sends him to the real page otherwise. But this wouldn’t keep someone from fishing around for the right page number, would it?
Another idea I saw alluded to .htaccess and .htpasswrd and protecting directories from access by non-logged-in viewers. I guess you put the private page in the protected directory, but it was too esoteric and convoluted and fragmentary for this mechanical engineer.
Guess I’ll just have to make a page that says: If you want a list of classmates with their addresses, phone numbers, and email addresses, contact the editor or the website administrator. Not eloquent, not dynamic, but it sorta does the job.
This amounts to a rather disappointing semi-hemi-demi-quasi-faux-resolution to the problem. I’ll leave the status as unresolved for a while in case someone can provide further insight.
I found the magic line in /wordpress/wp-pass.php and reset the time from 10 days to 1 minute
// 1 minute
setcookie(‘wp-postpass_’ . COOKIEHASH, $_POST[‘post_password’], time() + 60, COOKIEPATH);
Now someone loses access if he leaves the page for more than 60 seconds, but he can get back in without re-entering the password if he tries within 60 seconds.
Will change status to resolved.
Thanks for your help.
This seems counter productive to me. I’m struggling with it, too – 1 minute is too short and 1 yr too long and why is it set up in a way that requires someone to dig through core code? Is there a core function for password protecting a page that you can reference in a file (like page.php) where you could say:
`if (is_page(x)) {
wp_whateverfunctionforpassword(‘minutes’); }
else {whatever}
‘
where the function would either show a password field and button or not based on the state of the cookie?
I mean, I’m alright with modifying core files, but isn’t WP supposed to avoid having to do that?
Um, modifying that function doesn’t seem to have any effect in Firefox. I had to physically go into my Firefox cookies and manually remove the cookie to get the password form to show back up for a test page.
weird.
this after setting it to the 60 seconds per the above suggestions and then using web developer tools to clear cookies.
any suggestions anyone?
Hey,
Please could you (the helpful answerers) do not forget his initial question that was :
… how to restrict access to certain pages to valid logged-in users….
without any answer that is why the member started to change code about cookie, which is not really relevant to my experience.
Can anyone say if the requested functionnality still exist in WP ? how to do it ? or when will it be added into next release if the team seems it relevant….
Thank you
