WordPress.org

Ready to get started?Download WordPress

Forums

Page Protection Password (19 posts)

  1. paulhume
    Member
    Posted 2 years ago #

    I have a need for the password to time out a lot quicker for protected pages in a wordpress site.

    In older versions of WP I would edit the wp_pass.php file to achieve this. After the 3.4.1 update WP does not use this file anymore.

    Does anyone know how I can change the timeout value on the page protection passwords?

    Thank you in advance for your help.

    Regards

    Paul

  2. Ricke 59
    Member
    Posted 1 year ago #

    I'm also hoping for someone to present a solution to this problem.

    This change from upgrading to v3.4.1 is really an unwanted setback especially when accessing the site from a public station.

  3. Ricke 59
    Member
    Posted 1 year ago #

    After having googled a lot I've found the solution to the problem of not being able to set the timeout time after entering the password on a password protected page.

    What was before the update to 3.4.1 done in the file wp-pass.php must now be done in the file wp-login.php, and it's to be done on line 393.

    Example where I've changed to 900 = 15 minutes

    // 10 days 864000 ändrat till 900 = 15 min
     setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 900, COOKIEPATH )
  4. fr2632
    Member
    Posted 1 year ago #

    Unfortunately it does not work for me :(

    My wp version is the 3.5.1 and I modified the wp-login.php like the following:

    // 10 days 864000 ändrat till 900 = 15 min
     setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 900, COOKIEPATH )

    It does not work :(

    Any other ideas?

  5. Ricke 59
    Member
    Posted 1 year ago #

    I'm still using v3.4.1 and it's not fun at all to read that the solution for shorter time-out on password protected pages may need to be reinvestigated again.

    I really hope someone can verify it this is really the case.

    Updating to 3.5.1 will most likely have to wait until a solution has been made available.

    The best solution to this should in my opinion be that the time for a password protected page to timeout is set on the page where the password is entered.
    To have a standard timeout of 10 days is not reasonable since these pages might be read from a "public" station and any entered password stays active undependant of logged on or not logged on readers.

    Having to "hack" the php files should not have to be what we need to do.

  6. bcworkz
    Member
    Posted 1 year ago #

    I have successfully changed the cookie expiration time using the above code in 3.5.1. It is truly unfortunate there appears to be no clean way of achieving this.

    @fr2632, you did edit the existing line accordingly, and did not simply insert the code provided at line 393 right? The appropriate line in 3.5.1 is now at 399, and would override similar code inserted above it.

  7. fr2632
    Member
    Posted 1 year ago #

    @fr2632, you did edit the existing line accordingly, and did not simply insert the code provided at line 393 right? The appropriate line in 3.5.1 is now at 399, and would override similar code inserted above it.

    Thats right, I modified the line 399 of the wp-login.php file.

  8. fr2632
    Member
    Posted 1 year ago #

    Ok, I found a solution! Just add this code into function.php of your theme:

    add_action( 'wp', 'post_pw_sess_expire' );
        function post_pw_sess_expire() {
        if ( isset( $_COOKIE['wp-postpass_' . COOKIEHASH] ) )
        // Setting a time of 0 in setcookie() forces the cookie to expire with the session
        setcookie('wp-postpass_' . COOKIEHASH, '', 0, COOKIEPATH);
    }

    This will forces the cookie to expire with the session, basically when you close and reopen the page will ask for the password again :)

  9. bcworkz
    Member
    Posted 1 year ago #

    Ah! Very good! I was so focused on setting the cookie the way I wanted I completely blanked on the fact I could change the expiration at any time. Thanks for taking my blinders off :)

    Still odd the other approach did not work for you, but no matter now. Cheers.

  10. fr2632
    Member
    Posted 1 year ago #

    This is still a "workaround"... I think wordpress developers needs to do something about it!

  11. petruburac
    Member
    Posted 1 year ago #

    For me it worked Ricke 59 solution on wordpress 3.5.1, modifying line 399 on file wp-login.php. Right now my client is satisfied with 10 minutes.

    I realy don't understand how they set it up for 10 days as standard. This is security measure and it should have been from the begining set with a much smaller time. Let's say one hour as average user.

  12. Rob
    Member
    Posted 1 year ago #

    I'm looking to have the session expire after 15 minutes rather than 0 seconds. I am using another function adapted from the FT-Password-Protect-Child-Pages that allows me to move from a parent page to the child page without re-entering the password but since it times out after you leave the parent page it is not going to work in my situation. Setting the 0 value in the script listed above to 15 didn't work. Does anyone have thoughts on a solution? Thanks in advance!

  13. Ricke 59
    Member
    Posted 1 year ago #

    Hello Rob,

    Please read the thread from top.
    If you set the number to 900 it'll give you 15 minutes.

    By setting the same password for all protected pages you'll also get the functionality you're looking for. Alternatively different passwords for different groups of pages.

    The first alternative works fine on my site since time of my post above.

  14. Rob
    Member
    Posted 1 year ago #

    Thanks Ricke 59! I guess it didn't occur to me that it was in seconds. I'm currently in the process of updating the outdated FT-Password-Protect-Child-Pages plugin with custom post type support and going to release it under a new name (with credit to the original author of course). I might just have to roll this script into it since the two seem to go hand in hand. Thanks again for your help with the timing!

  15. Ricke 59
    Member
    Posted 1 year ago #

    So now I've also updated to ver 3.5.2 and what is said above still works fine.

    wp_login.php

    // 10 days
    	setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH );

    changed into

    // 15 minutes
    	setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 900, COOKIEPATH );
  16. jskrieg
    Member
    Posted 1 year ago #

    I'm running the Responsive Theme. Where would I find that line of code to change? I don't seem to have a wp_login.php section, at least not that I can find.

  17. esmi
    Forum Moderator
    Posted 1 year ago #

    @jskrieg: As per the Forum Welcome, please post your own topic. Posting in an existing topic prevents us from being able to track issues by topic. Added to which, your problem - despite any similarity in symptoms - is likely to be completely different.

  18. Ricke 59
    Member
    Posted 1 year ago #

    You will not find the wp_login.php file from inside WordPress admin area.
    You need to go into the root directory of your WordPress server installation.
    There you'll find the file and can edit it.

    It's always a good idea to have a backup file made first in case something doesn't work as intended

  19. Pabbles
    Member
    Posted 1 year ago #

    My own hackish solution, based on fr2632's function, which instead "refreshes" the cookie with $seconds time each time someone is on a specific page (probably the password-protected one), and should live through updates:

    In functions.php :

    function post_pw_sess_refresh($seconds = 900) {
    	if ( isset( $_COOKIE['wp-postpass_' . COOKIEHASH] ) ){
    		setcookie('wp-postpass_' . COOKIEHASH, $_COOKIE['wp-postpass_' . COOKIEHASH], time() + $seconds, COOKIEPATH);
    	}
    }

    In header.php : (With a $post->ID of your choice, of course)

    <?php if ($post->ID == 10){ post_pw_sess_refresh(900); } ?>

    So you kill the huge 10 day default lifetime of the original cookie, and as a bonus can keep it alive as long as you hop around in pages that call the function.

Topic Closed

This topic has been closed to new replies.

About this Topic