I’m also hoping for someone to present a solution to this problem.
This change from upgrading to v3.4.1 is really an unwanted setback especially when accessing the site from a public station.
After having googled a lot I’ve found the solution to the problem of not being able to set the timeout time after entering the password on a password protected page.
What was before the update to 3.4.1 done in the file wp-pass.php must now be done in the file wp-login.php, and it’s to be done on line 393.
Example where I’ve changed to 900 = 15 minutes
// 10 days 864000 รคndrat till 900 = 15 min
setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 900, COOKIEPATH )
Unfortunately it does not work for me ๐
My wp version is the 3.5.1 and I modified the wp-login.php like the following:
// 10 days 864000 รคndrat till 900 = 15 min
setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 900, COOKIEPATH )
It does not work ๐
Any other ideas?
I’m still using v3.4.1 and it’s not fun at all to read that the solution for shorter time-out on password protected pages may need to be reinvestigated again.
I really hope someone can verify it this is really the case.
Updating to 3.5.1 will most likely have to wait until a solution has been made available.
The best solution to this should in my opinion be that the time for a password protected page to timeout is set on the page where the password is entered.
To have a standard timeout of 10 days is not reasonable since these pages might be read from a “public” station and any entered password stays active undependant of logged on or not logged on readers.
Having to “hack” the php files should not have to be what we need to do.
I have successfully changed the cookie expiration time using the above code in 3.5.1. It is truly unfortunate there appears to be no clean way of achieving this.
@fr2632, you did edit the existing line accordingly, and did not simply insert the code provided at line 393 right? The appropriate line in 3.5.1 is now at 399, and would override similar code inserted above it.
@fr2632, you did edit the existing line accordingly, and did not simply insert the code provided at line 393 right? The appropriate line in 3.5.1 is now at 399, and would override similar code inserted above it.
Thats right, I modified the line 399 of the wp-login.php file.
Ok, I found a solution! Just add this code into function.php of your theme:
add_action( 'wp', 'post_pw_sess_expire' );
function post_pw_sess_expire() {
if ( isset( $_COOKIE['wp-postpass_' . COOKIEHASH] ) )
// Setting a time of 0 in setcookie() forces the cookie to expire with the session
setcookie('wp-postpass_' . COOKIEHASH, '', 0, COOKIEPATH);
}
This will forces the cookie to expire with the session, basically when you close and reopen the page will ask for the password again ๐
Ah! Very good! I was so focused on setting the cookie the way I wanted I completely blanked on the fact I could change the expiration at any time. Thanks for taking my blinders off ๐
Still odd the other approach did not work for you, but no matter now. Cheers.
This is still a “workaround”… I think wordpress developers needs to do something about it!
For me it worked Ricke 59 solution on wordpress 3.5.1, modifying line 399 on file wp-login.php. Right now my client is satisfied with 10 minutes.
I realy don’t understand how they set it up for 10 days as standard. This is security measure and it should have been from the begining set with a much smaller time. Let’s say one hour as average user.
I’m looking to have the session expire after 15 minutes rather than 0 seconds. I am using another function adapted from the FT-Password-Protect-Child-Pages that allows me to move from a parent page to the child page without re-entering the password but since it times out after you leave the parent page it is not going to work in my situation. Setting the 0 value in the script listed above to 15 didn’t work. Does anyone have thoughts on a solution? Thanks in advance!
Hello Rob,
Please read the thread from top.
If you set the number to 900 it’ll give you 15 minutes.
By setting the same password for all protected pages you’ll also get the functionality you’re looking for. Alternatively different passwords for different groups of pages.
The first alternative works fine on my site since time of my post above.
Thanks Ricke 59! I guess it didn’t occur to me that it was in seconds. I’m currently in the process of updating the outdated FT-Password-Protect-Child-Pages plugin with custom post type support and going to release it under a new name (with credit to the original author of course). I might just have to roll this script into it since the two seem to go hand in hand. Thanks again for your help with the timing!
So now I’ve also updated to ver 3.5.2 and what is said above still works fine.
wp_login.php
// 10 days
setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH );
changed into
// 15 minutes
setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 900, COOKIEPATH );
I’m running the Responsive Theme. Where would I find that line of code to change? I don’t seem to have a wp_login.php section, at least not that I can find.
