Nonce fails for logged in users

w.gerick
(@wgerick)

9 years, 1 month ago

Hi there,

I’m running a multisite (subdirectories – setup), where my users log in at root level:

http://www.domain.com/login.php

This login uses ssl. Those users get a custom frontend-profil, also at root level:

http://www.domain.com/profile

Using ajax with nonces there works fine.

If those logged in users visit another site in my network, say:

http://www.domain.com/page2/

all nonces are failing there, because the current user is not set in the admin-ajax callback. So wordpress is checking the nonce created by user XY with the user 0 in admin-ajax.php. All the “normal” frontend functions on the sub-page, which get loaded during page build can see, that the user is logged in.

Maybe some issue with the auth-cookie, which is only set at root level? I have a test-stage environment, which is a copy of the live-site, except for the ssl encription. All the nonces are working there on every sub-page.

I have found a similar thread, but the solution isn’t working for me:
http://osdir.lowified.com/wordpress-hackers/2014-09/msg00031.html

Anyone has an idea? Thank you so much!

Viewing 4 replies - 1 through 4 (of 4 total)

jkhongusc
(@jkhongusc)

9 years, 1 month ago

Have you checked your cookies. If your login is ssl, I am pretty sure the cookie is secure. Then if you try to access a non-secure page your login is not recognized. The way to check is to access your page via https and see if your login is recognized.

Thread Starter w.gerick
(@wgerick)

9 years, 1 month ago

Thanks for your reply! Yes, the cookie is secure. However, there are two cookies:
– One for just signaling, that a user is logged in (LOGGED_IN_COOKIE)
– One secure for, for actual admin access (SECURE_AUTH_COOKIE)

So on my non-secure page he reads the non-secure cookie and sees, that the user is logged in. But when an ajax request is being made, it is done over ssl, since it is targeting the admin area. Problem is, even printing out $_COOKIE in admin-ajax.php shows nothing, when called from a sub-page on my network for logged in users. I even changed the ajaxurl and redirected all my

http://www.domain.com/page2/wp-admin/admin-ajax.php

requests to the root level:

http://www.domain.com/wp-admin/admin-ajax.php

just to be sure. But nothing. He can’t read any cookies, which is odd, because the admin-ajax request is done over ssl and is targeting the root level. So there should be no difference to sending an ajax-request from the root level.

Any ideas?

jkhongusc
(@jkhongusc)

9 years, 1 month ago

I am pretty sure you have a cookie issue. You need to match domain, path, and secure. http or unsecure cookies are passed to http and https. I use Chrome of FireFox to check cookies, both have web developer tools.

Moderator Ipstenu (Mika Epstein)
(@ipstenu)

🏳️‍🌈 Advisor and Activist

9 years, 1 month ago

If your login is ssl, I am pretty sure the cookie is secure. Then if you try to access a non-secure page your login is not recognized.

No, mine keeps me logged in.

What other plugins are you running?

I have WordPress HTTPS set up on my network to force https on admin only.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Nonce fails for logged in users’ is closed to new replies.

Nonce fails for logged in users

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics