2718.us blog » admin_cookie_path

Authenticating with WordPress 2.6 (part 3)

2718.us — Sun, 03 Aug 2008 23:55:48 +0000

So, as a followup to parts 1 and 2, per WordPress Trac ticket #7001, WordPress 2.6 has split up the login cookies into three parts:

what was the one and only login cookie in 2.5 is now limited to /wp-admin
there’s a copy of that one that’s just limited to /wp-content/plugins, for backward compatibility with plugins
there’s a new cookie that is at COOKIEPATH (which can be defined in your config file), that is checked by calling
```
is_user_logged_in()
```
(but perhaps this isn’t intended for secure authorization?)

So, it appears the way to go may be to change

auth_redirect()

if (!is_user_logged_in()) auth_redirect();

Maybe more to follow on this when I’ve more thoroughly explored it.

Authenticating with WordPress 2.6 (part 2)

2718.us — Wed, 30 Jul 2008 04:32:54 +0000

Having stated the problem and now played further, I’ve got good news and bad news.

The good news is that there’s an action hook, ‘set_auth_cookie’, that gets called whenever the cookies are set, so if the stuff for which you want to authenticate is on the same server but at a different path, you can create a plugin (or maybe use functions.php in your theme?) with something like the following:

function your_unique_name_here_set_auth_cookie($auth_cookie, $expire, $expiration, $user_id, $scheme) {
setcookie(AUTH_COOKIE, $auth_cookie, $expire, '/path/to/your/stuff', COOKIE_DOMAIN);
}
add_action('set_auth_cookie','your_unique_name_here_set_auth_cookie',10,5);

The bad news is that if your WordPress install is at example.com/something and you want to use it to authenticate at portal.example.com, you can’t set a cookie for portal.example.com from a script on example.com, so your only choice would be to set a cookie with path / on .example.com (note the leading period), which completely breaks the security added by the separate cookies.

Hopefully, there’ll be a “part 3″ to this wherein I solve this last problem somehow, since that’s the setup I’m dealing with.

Authenticating with WordPress 2.6 (part 1)

2718.us — Wed, 30 Jul 2008 03:03:51 +0000

I’ve been hoping for the last hour or two that there’d be just one post on this topic, giving the problem and solution all together, but I have yet to solve it and so I’m just going to post the issue for now, until I have a solution.

As a security measure in WP2.6, login cookies are now split into what seem to be at least three different cookies—two with paths like /wp-admin and /wp-content/plugins that are the full cookie that auth_redirect() checks against and one that’s different, with path / [paths relative to the blog root]. Near as I can tell, this immediately breaks any attempt to use auth_redirect() for authentication (e.g. this and this) outside the /wp-admin and /wp-content/plugins directories. It is also not immediately clear to me how to authenticate against the whole-site cookie, if there’s any way to do that at all.

A temporary, but very bad fix would be to completely defeat the security by defining ADMIN_COOKIE_PATH to be the site root, rather than the path to /wp-admin. I’m thinking that, from a quick skim of pluggable.php, there might be plugin action hooks to allow setting other cookies that would allow authentication on other paths…