Support » Plugin: Easy Digital Downloads » Problems with “User logged in” shortcode displaying content when not logged in

  • Resolved designdrumm

    (@designdrumm)



    Hello,
    I recently had a situation where I was on a page I created that had the [edd_profile_editor] shortcode in it. I had the page opened in a tab in Safari 10.1 (Mac). I proceeded to log out of my WordPress on another tab and then quit safari (without going to the page with the [edd_profile_editor] shortcode). When I opened Safari, it opens with all the tabs I had open before quitting. When I went to the page with the shortcode, it proceeded to show me account info even though I was clearly logged out. This I feel is a serious security risk and should be address immediately.

    Please advise.
    Thank you,

    Best,
    designdrumm

Viewing 6 replies - 16 through 21 (of 21 total)
  • Plugin Author Pippin Williamson

    (@mordauk)

    Pippin's Plugins and Plugin Reviewer

    If you track it done I’d love to know what was causing it.

    Hey Pippin,
    I found this article.

    https://pippinsplugins.com/storing-session-data-in-wordpress-without-_session/

    It’s a little dated, but are you still implementing this or has it been removed? My thoughts are it has been removed. LMK.

    Best,
    designdrumm

    Plugin Author Pippin Williamson

    (@mordauk)

    Pippin's Plugins and Plugin Reviewer

    We still use that in Easy Digital Downloads.

    Well, looks to be a Safari issue. I tried on both FireFox and Chrome and when they brought the tabs back up once I opened the browser again, it sent me to the login page.

    So Safari is allowing user content that should only be viewable when logged in to be viewable when not. It is caching the page and is loading that instead of pulling the page down from the server. Is there any way to force Safari to check validation of the pages without removing any caching?

    Any ideas?

    Best,
    designdrumm

    Well, I figured out how to get the page to reload and check for login status in Safari.

    I duplicated the default page template and made it a user template and then added this code to the top of the page before the WordPress get_header() call.

    
    <?php
    /*
    Template Name: User Page Template
    */
    header("Cache-Control: no-cache, no-store, must-revalidate"); // HTTP 1.1.
    header("Pragma: no-cache"); // HTTP 1.0.
    header("Expires: 0"); // Proxies.
    ?>
    
    <?php get_header(); ?>
    
    ... 
    
    

    This forced Safari to have to grab the page again and when that happened, my checks for login were able to fire off. This would include any protection placed on the page by a plugin or theme. Seems Safari will store the page in the state it was in if it is allowed. I didn’t want to ruin this functionality for all my pages, so I elected to create a new template that I could then apply to pages I wanted that on. Like the members info area.

    It is important to note that this code will override any meta tag cache control if used in conjunction and may conflict with any cache control plugins that are installed. I haven’t tested that far yet. This was only to find out how to get past this issue. If you have a plugin that does cache control and allows individual page control, I would recommend utilizing that instead of the above solution. My issue may have arrived because I have not activated a cache control on my site yet. I myself may remove this in favor of the plugin.

    Well, thanks for drudging through this with me.
    Sorry for the spam.

    Best,
    designdrumm

    Plugin Author Pippin Williamson

    (@mordauk)

    Pippin's Plugins and Plugin Reviewer

    I hope you’re able to get this resolved! Since it is not a problem with Easy Digital Downloads, however, this is not something I’ll be able to assist with any further. Best regards.

Viewing 6 replies - 16 through 21 (of 21 total)
  • The topic ‘Problems with “User logged in” shortcode displaying content when not logged in’ is closed to new replies.