WordPress.org

Ready to get started?Download WordPress

Forums

Login Cookies TOO Secure (2 posts)

  1. cmarshall
    Member
    Posted 6 years ago #

    Okay, this was driving me nuts (actually, it's more of a short putt *<:o)

    I wrote this kewl plugin to transmogrify the siteurl requests to my localhost/test VM:

    function test_localhosts( $ret )
        {
        if ( preg_match ( '|10\.211\.55\.2|', $_SERVER['SERVER_ADDR'] ) )
            {
            $ret = "http://10.211.55.2/~cmarshall/littlegreenviper.com/public_html/main";
            }
        elseif ( preg_match ( '|127\.0\.0\.1|', $_SERVER['SERVER_ADDR'] ) || preg_match ( '|localhost|', $_SERVER['REQUEST_URI'] ) )
            {
            $ret = "http://localhost/~cmarshall/littlegreenviper.com/public_html/main";
            }
        return $ret;
        }
    
    add_filter ( 'pre_option_home', 'test_localhosts', 0, 1 );
    add_filter ( 'pre_option_siteurl', 'test_localhosts', 0, 1 );
    add_filter ( 'bloginfo_url', 'test_localhosts', 0, 1 );

    However, it will never let me log in as an admin. I finally figured out that the COOKIE_HASH was stinky.

    This is because COOKIE_HASH does a get_info('siteurl') BEFORE the plugins are applied, yet the comparison is done AFTER they are applied.

    This is very, very annoying. Is there the slightest chance that we could figure out a way to make the COOKIE_HASH chill when I am running this on a test server?

    Thanks.

  2. cmarshall
    Member
    Posted 6 years ago #

    er, that's "COOKIEHASH".

    The file in question is wp-settings.php.

    The offending section is this one:

    if (strpos($_SERVER['PHP_SELF'], 'install.php') === false) {
        // Used to guarantee unique hash cookies
        $cookiehash = md5(get_option('siteurl'));
    	define('COOKIEHASH', $cookiehash);
    }
    
    if ( !defined('USER_COOKIE') )
    	define('USER_COOKIE', 'wordpressuser_'. COOKIEHASH);
    if ( !defined('PASS_COOKIE') )
    	define('PASS_COOKIE', 'wordpresspass_'. COOKIEHASH);
    if ( !defined('COOKIEPATH') )
    	define('COOKIEPATH', preg_replace('|https?://[^/]+|i', '', get_option('home') . '/' ) );
    if ( !defined('SITECOOKIEPATH') )
    	define('SITECOOKIEPATH', preg_replace('|https?://[^/]+|i', '', get_option('siteurl') . '/' ) );
    if ( !defined('COOKIE_DOMAIN') )
    	define('COOKIE_DOMAIN', false);

    This calls get_option('siteurl') and get_option('home'). However, the plugins have not yet been scanned for their add_filter() calls, so the intercepted calls are not made.

    It may be as simple as moving the above section to below this section:

    if ( get_option('active_plugins') ) {
    	$current_plugins = get_option('active_plugins');
    	if ( is_array($current_plugins) ) {
    		foreach ($current_plugins as $plugin) {
    			if ('' != $plugin && file_exists(ABSPATH . PLUGINDIR . '/' . $plugin))
    				include_once(ABSPATH . PLUGINDIR . '/' . $plugin);
    		}
    	}
    }

    But I'm not so sure about that. Some of the plugins may need the constants above defined.

Topic Closed

This topic has been closed to new replies.

About this Topic