badmin

The suggestion in the 2nd response (by anonymous) worked for me, but it seems a little risky. It allows the operation to proceed, no matter what domain it came from. This basically disables the protection the function was meant to provide. I’m guessing Function check_admin_referer() is there for a good reason, so simply disabling it can’t be a good idea.

Changing the $referer value to ‘localhost’ if things don’t match up and allowing the operation to proceed lets everything pass through. A better way of handling this may be to figure out if there is a logical reason why function check_admin_referer() is blocking the operation, and to make a specific accomodation for that case, only.

First modify the die statement to print out the $adminurl and $referer data to the screen. Then you can see what is going on and why things aren’t checking out. It is likely it is possible you can accomodate the one exception you are encountering while still protecting your site against hacking from all other referers.

In my case, there is a good reason for $adminurl and $referer not to match up. But the way they don’t match up is consistent. So I am able to check for this known exception while blocking all other exceptions from proceeding.

To do this, change function check_admin_referer() to the following:

function check_admin_referer() {
$adminurl = strtolower(get_settings(‘siteurl’)).’/wp-admin’;
$referer = strtolower($_SERVER[‘HTTP_REFERER’]);
if ( !strstr($referer, $adminurl) && !strstr($referer, ‘[insert the permitted exception domain name here]’) ) {
die(‘ERROR: Forbidden. Your request for this operation must come from a permitted domain.’);
}
}

It was just a theory, but I thought that maybe since the cookie is coming through as having been set by the parent domain, IE denies access to the cookie when the request is coming from the blog (the child domain).

If that’s not it, does anyone have another idea? I’d really love to get my blog working on IE.

thanks!

this may be relevant…. my blog site exists as a a subdirectory on my larger site, but I have an individual domain name for the blog. I am using cloaked web forwarding to point any requests for the blog domain to the subdirectory. The cookies that WP sets are defined as having come from the parent site. Could IE be having trouble because its getting confused by the cloaked DNS? Could it be rejecting access to the cookies because it thinks the request is coming from a third party site? I’m not sure how to test for this, or how to correct it if this is the problem.

PS, sorry for posting to multiple threads about this, but there were several started about this subject already. From now on, I’ll limit my discussion to this thread.

Joining in to say I’m experiencing this problem also. It’s been suggested elsewhere that the cause could be that IE refuses cookies from sites using non-RFC compliant hostnames. but by hostname is RFC-compliant, so this is not the cause for me. Does anyone have any other ideas? I’m surprised a problem as big as this one has existed for so long.