capi81
Forum Replies Created
-
I think I know how to reproduce this issue: once you edit anything of a post in “Quick Edit”, the expiry action gets reset to the default action.
Well, actually my code-snippet above has some issues, e.g. it does not unset the cookie on log-out, but I think you get the point 🙂
No, I don’t use Force SSL Exclusively, as visitors should be free to decide if they want to use HTTP or HTTPS.
I did some experiments with the cookies and it seems that the wordpress_logged_in_* alone cannot be used to access the administration, if the wordpress_logged_in_* is not set due the path restrictions of the secure cookie.
Still, the content of the wordpress_logged_in_* is the same evertime I log in, so I’d say it needs to be considered a credential which I would not want to be exposed via non-encrypted connections. What exactly can be accessed with the wordpress_logged_in? One seems to be able to preview unpublished articles, comment under the user’s name, what else?
Maybe it would be a workaround to simply unset the cookie after login and modify WordPress URL and Site-URL to the HTTPS variant when being viewed via HTTPS so that article preview, etc. use HTTPS instead of the HTTP version, which would require the cookie to be set.
Basically (I just tested it), the functionality is similar to the following addition to
wp-config.php:if ($_SERVER['HTTPS'] == "on") { define('WP_HOME','https://www.domain.com/blog'); define('WP_SITEURL', 'https://www.domain.com/blog'); setcookie('wordpress_logged_in_HASH', $_COOKIE["wordpress_logged_in_HASH"], 0, "/blog/", "www.domain.com", true, true); setcookie('wordpress_logged_in_HASH', "", time()-3600, "/blog/"); }What is your opinion on my points above?