Support » Plugin: Subway - Private Site Option » Proposed Fix: Use nocache_headers() before any/all wp_safe_redirect() calls

  • – What’s the Problem –
    Effectively what’s happening is that visiting a page you need to be logged in to view has the login form page shown via a redirect, but the built-in wp_redirect() and wp_safe_redirect() (latter being what’s used here) functions don’t tell browser caches to not ignore the redirect. As such, loging in and then going back to the page that previously redirected to the login form has it still want to redirect to the login page per the browser’s cache (even if it’s a 302 redirect.) A site might have browser caching lasting minutes, hours, or longer which Firefox, Safari, Chrome, etc. have all seen to keep around (again, even with 302 redirects) to then encounter this.

    – The Fix –
    As such, any time wp_redirect() and/or wp_safe_redirect() is used should have nocache_headers() right before it so the browser knows that redirect is temporary & should then allow the page to be revisited without the redirect happening again after logging in.

    When it comes to what needs to be updated for this plugin to fix this potential issue, classes/subway-auth-redirect.php and classes/subway-page-redirect.php should be edited to have nocache_headers(); before their wp_safe_redirect(); calls to make sure things behave properly with browsers that might want to cache the redirect.

    – Additional Info –
    Just a heads up, this is an issue other similar plugins have dealt with (ex. Profile Builder had it reported & fixed per https://wordpress.org/support/topic/proposed-bugfix-prevent-login-redirect-from-browser-cache-rules/), and is actually something that can happen with any usage of wp_redirect() and/or wp_safe_redirect().

    As an aside, I do have a WordPress core ticket open at https://core.trac.wordpress.org/ticket/50422 to make it so wp_redirect() and wp_safe_redirect() take care of involving nocache_headers() in the process, but that’s yet to be accepted (or even discussed, unfortunately & weirdly, as of yet.) I’ve also documented this behavior & precaution for those looking to use those redirect functions at https://developer.wordpress.org/reference/functions/wp_redirect/#comment-3973 and https://developer.wordpress.org/reference/functions/wp_safe_redirect/#comment-3974 to help prevent this for developers until WordPress officially patches this behavior.

    I’d love to see this plugin update this as browser caching should be allowed to be optimized without redirects then lasting longer than they should (with this thankfully just being a matter of calling nocache_headers(); before the redirect happens.)

    Thanks!
    Kurt

  • You must be logged in to reply to this topic.