Navigation

← Previous Changeset
Next Changeset →

Changeset 8069

Timestamp:

06/11/08 17:25:55 (3 months ago)

Author:

ryan

Message:

Introduce logged_in cookie. Deliver auth cookies only to wp-admin. see #7001

Files:

trunk/wp-admin/admin-header.php (modified) (1 diff)
trunk/wp-includes/functions.php (modified) (1 diff)
trunk/wp-includes/general-template.php (modified) (2 diffs)
trunk/wp-includes/link-template.php (modified) (2 diffs)
trunk/wp-includes/pluggable.php (modified) (14 diffs)
trunk/wp-includes/user.php (modified) (4 diffs)
trunk/wp-login.php (modified) (7 diffs)
trunk/wp-settings.php (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/wp-admin/admin-header.php

r8036	r8069
112	112	<?php } ?>
113	113
114		<div id="user_info"><p><?php printf(__('Howdy, <a href="%1$s">%2$s</a>!'), 'profile.php', $user_identity) ?> \| <a href="<?php echo site_url('wp-login.php?action=logout') ?>" title="<?php _e('Log Out') ?>"><?php _e('Log Out'); ?></a> \| <?php _e('<a href="http://codex.wordpress.org/">Help</a>') ?> \| <?php _e('<a href="http://wordpress.org/support/">Forums</a>') ?> \| <?php if ( $gears_compat ) { ?><span id="gears-menu"><a href="#" onclick="wpGears.message(1);return false;"><?php _e('Speed up!') ?></a></span><?php } ?></p></div>
	114	<div id="user_info"><p><?php printf(__('Howdy, <a href="%1$s">%2$s</a>!'), 'profile.php', $user_identity) ?> \| <a href="<?php echo site_url('wp-login.php?action=logout', 'login') ?>" title="<?php _e('Log Out') ?>"><?php _e('Log Out'); ?></a> \| <?php _e('<a href="http://codex.wordpress.org/">Help</a>') ?> \| <?php _e('<a href="http://wordpress.org/support/">Forums</a>') ?> \| <?php if ( $gears_compat ) { ?><span id="gears-menu"><a href="#" onclick="wpGears.message(1);return false;"><?php _e('Speed up!') ?></a></span><?php } ?></p></div>
115	115
116	116	<?php

trunk/wp-includes/functions.php

r7999	r8069
1769	1769	return ( 'on' == strtolower($_SERVER['HTTPS']) ) ? true : false;
1770	1770	}
	1771
	1772	function force_ssl_login($force = '') {
	1773	static $forced;
	1774
	1775	if ( '' != $force ) {
	1776	$old_forcded = $forced;
	1777	$forced = $force;
	1778	return $old_forced;
	1779	}
	1780
	1781	return $forced;
	1782	}
	1783
	1784	function force_ssl_admin($force = '') {
	1785	static $forced;
	1786
	1787	if ( '' != $force ) {
	1788	$old_forcded = $forced;
	1789	$forced = $force;
	1790	return $old_forced;
	1791	}
	1792
	1793	return $forced;
	1794	}
	1795
1771	1796	?>

trunk/wp-includes/general-template.php

r8058	r8069
34	34	function wp_loginout() {
35	35	if ( ! is_user_logged_in() )
36		$link = '<a href="' . site_url('wp-login.php', '~~forceable~~') . '">' . __('Log in') . '</a>';
	36	$link = '<a href="' . site_url('wp-login.php', 'login') . '">' . __('Log in') . '</a>';
37	37	else
38		$link = '<a href="' . site_url('wp-login.php?action=logout', '~~forceable~~') . '">' . __('Log out') . '</a>';
	38	$link = '<a href="' . site_url('wp-login.php?action=logout', 'login') . '">' . __('Log out') . '</a>';
39	39
40	40	echo apply_filters('loginout', $link);
…	…
46	46	if ( ! is_user_logged_in() ) {
47	47	if ( get_option('users_can_register') )
48		$link = $before . '<a href="' . site_url('wp-login.php?action=register', '~~forceable~~') . '">' . __('Register') . '</a>' . $after;
	48	$link = $before . '<a href="' . site_url('wp-login.php?action=register', 'login') . '">' . __('Register') . '</a>' . $after;
49	49	else
50	50	$link = '';

trunk/wp-includes/link-template.php

r8058	r8069
781	781	// should the list of allowed schemes be maintained elsewhere?
782	782	if ( !in_array($scheme, array('http', 'https')) ) {
783		if ( ('forceable' == $scheme) && (defined('FORCE_SSL_LOGIN') && FORCE_SSL_LOGIN) )
	783	if ( ('login' == $scheme) && ( force_ssl_login() \|\| force_ssl_admin() ) )
	784	$scheme = 'https';
	785	elseif ( ('admin' == $scheme) && force_ssl_admin() )
784	786	$scheme = 'https';
785	787	else
…	…
798	800	global $_wp_admin_url;
799	801
800		$url = site_url('wp-admin/', '~~forceable~~');
	802	$url = site_url('wp-admin/', 'admin');
801	803
802	804	if ( !empty($path) && is_string($path) && strpos($path, '..') === false )

trunk/wp-includes/pluggable.php

r8058	r8069
101	101
102	102	if ( ! $user = wp_validate_auth_cookie() ) {
103		wp_set_current_user(0);
104		return false;
	103	if ( empty($_COOKIE[LOGGED_IN_COOKIE]) \|\| !$user = wp_validate_auth_cookie($_COOKIE[LOGGED_IN_COOKIE], 'logged_in') ) {
	104	wp_set_current_user(0);
	105	return false;
	106	}
105	107	}
106	108
…	…
466	468	*
467	469	* @param string $cookie Optional. If used, will validate contents instead of cookie's
	470	* @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
468	471	* @return bool\|int False if invalid cookie, User ID if valid.
469	472	*/
470		function wp_validate_auth_cookie($cookie = '') {
	473	function wp_validate_auth_cookie($cookie = '', $scheme = 'auth') {
471	474	if ( empty($cookie) ) {
472		if ( is_ssl() )
	475	if ( is_ssl() ) {
473	476	$cookie_name = SECURE_AUTH_COOKIE;
474		else
	477	$scheme = 'secure_auth';
	478	} else {
475	479	$cookie_name = AUTH_COOKIE;
	480	$scheme = 'auth';
	481	}
476	482
477	483	if ( empty($_COOKIE[$cookie_name]) )
…	…
496	502	return false;
497	503
498		$key = wp_hash($username . '\|' . $expiration);
	504	$key = wp_hash($username . '\|' . $expiration, $scheme);
499	505	$hash = hash_hmac('md5', $username . '\|' . $expiration, $key);
500	506
…	…
520	526	* @param int $user_id User ID
521	527	* @param int $expiration Cookie expiration in seconds
522		* @param ~~bool $secure Whether the cookie is for https delivery only or not. Not used by default. For plugin use.~~
	528	* @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
523	529	* @return string Authentication cookie contents
524	530	*/
525		function wp_generate_auth_cookie($user_id, $expiration, $s~~ecure = false~~) {
	531	function wp_generate_auth_cookie($user_id, $expiration, $scheme = 'auth') {
526	532	$user = get_userdata($user_id);
527	533
528		$key = wp_hash($user->user_login . '\|' . $expiration);
	534	$key = wp_hash($user->user_login . '\|' . $expiration, $scheme);
529	535	$hash = hash_hmac('md5', $user->user_login . '\|' . $expiration, $key);
530	536
531	537	$cookie = $user->user_login . '\|' . $expiration . '\|' . $hash;
532	538
533		return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $s~~ecur~~e);
	539	return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $scheme);
534	540	}
535	541	endif;
…	…
549	555	* @param bool $remember Whether to remember the user or not
550	556	*/
551		function wp_set_auth_cookie($user_id, $remember = false) {
	557	function wp_set_auth_cookie($user_id, $remember = false, $secure = '') {
552	558	if ( $remember ) {
553	559	$expiration = $expire = time() + 1209600;
…	…
557	563	}
558	564
559		if ( is_ssl() ) {
560		$secure = true;
561		$cookie_name = SECURE_AUTH_COOKIE;
	565	if ( '' === $secure )
	566	$secure = is_ssl() ? true : false;
	567
	568	if ( $secure ) {
	569	$auth_cookie_name = SECURE_AUTH_COOKIE;
	570	$scheme = 'secure_auth';
562	571	} else {
563		$secure = false;
564		$cookie_name = AUTH_COOKIE;
565		}
566
567		$cookie = wp_generate_auth_cookie($user_id, $expiration, $secure);
568
569		do_action('set_auth_cookie', $cookie, $expire, $secure);
570
571		setcookie($cookie_name, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure);
	572	$auth_cookie_name = AUTH_COOKIE;
	573	$scheme = 'auth';
	574	}
	575
	576	$auth_cookie = wp_generate_auth_cookie($user_id, $expiration, $scheme);
	577	$logged_in_cookie = wp_generate_auth_cookie($user_id, $expiration, 'logged_in');
	578
	579	do_action('set_auth_cookie', $auth_cookie, $expire, $scheme);
	580	do_action('set_auth_cookie', $logged_in_cookie, $expire, 'logged_in');
	581
	582	setcookie($auth_cookie_name, $auth_cookie, $expire, SITECOOKIEPATH . 'wp-admin', COOKIE_DOMAIN, $secure);
	583	setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN);
572	584	if ( COOKIEPATH != SITECOOKIEPATH )
573		setcookie(~~$cookie_name, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure~~);
	585	setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN);
574	586	}
575	587	endif;
…	…
582	594	*/
583	595	function wp_clear_auth_cookie() {
584		setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
585		setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
586		setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
587		setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
	596	setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
	597	setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
	598	setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
	599	setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
	600	setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
	601	setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
588	602
589	603	// Old cookies
…	…
622	636	// Checks if a user is logged in, if not redirects them to the login page
623	637
624		if ( is_ssl() \|\| ~~(defined('FORCE_SSL_LOGIN') && FORCE_SSL_LOGIN~~) )
	638	if ( is_ssl() \|\| force_ssl_admin() )
625	639	$secure = true;
626	640	else
…	…
629	643	// If https is required and request is http, redirect
630	644	if ( $secure && !is_ssl() ) {
631		if ( ~~false !~~== strpos($_SERVER['REQUEST_URI'], 'http') ) {
632		wp_redirect(~~str_replace('http://~~', 'https://', $_SERVER['REQUEST_URI']));
	645	if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
	646	wp_redirect(preg_replace('\|^http://\|', 'https://', $_SERVER['REQUEST_URI']));
633	647	exit();
634	648	} else {
…	…
644	658	nocache_headers();
645	659
646		$login_url = site_url( 'wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']), 'forceable' );
	660	if ( is_ssl() )
	661	$proto = 'https://';
	662	else
	663	$proto = 'http://';
	664
	665	$login_url = site_url( 'wp-login.php?redirect_to=' . urlencode($proto . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']), 'login' );
647	666
648	667	wp_redirect($login_url);
…	…
972	991	$message = sprintf(__('Username: %s'), $user_login) . "\r\n";
973	992	$message .= sprintf(__('Password: %s'), $plaintext_pass) . "\r\n";
974		$message .= site_url("wp-login.php", '~~forceable~~') . "\r\n";
	993	$message .= site_url("wp-login.php", 'login') . "\r\n";
975	994
976	995	wp_mail($user_email, sprintf(__('[%s] Your username and password'), get_option('blogname')), $message);
…	…
1079	1098	* @return string Salt value from either 'SECRET_KEY' or 'secret' option
1080	1099	*/
1081		function wp_salt() {
	1100	function wp_salt($scheme = 'auth') {
1082	1101	global $wp_default_secret_key;
1083	1102	$secret_key = '';
…	…
1085	1104	$secret_key = SECRET_KEY;
1086	1105
1087		if ( defined('SECRET_SALT') ) {
1088		$salt = SECRET_SALT;
1089		} else {
1090		$salt = get_option('secret');
1091		if ( empty($salt) ) {
1092		$salt = wp_generate_password();
1093		update_option('secret', $salt);
	1106	if ( 'auth' == $scheme ) {
	1107	if ( defined('AUTH_KEY') && ('' != AUTH_KEY) && ( $wp_default_secret_key != AUTH_KEY) )
	1108	$secret_key = AUTH_KEY;
	1109
	1110	if ( defined('AUTH_SALT') ) {
	1111	$salt = AUTH_SALT;
	1112	} elseif ( defined('SECRET_SALT') ) {
	1113	$salt = SECRET_SALT;
	1114	} else {
	1115	$salt = get_option('auth_salt');
	1116	if ( empty($salt) ) {
	1117	$salt = wp_generate_password();
	1118	update_option('auth_salt', $salt);
	1119	}
1094	1120	}
1095		}
1096
1097		return apply_filters('salt', $secret_key . $salt);
	1121	} elseif ( 'secure_auth' == $scheme ) {
	1122	if ( defined('SECURE_AUTH_KEY') && ('' != SECURE_AUTH_KEY) && ( $wp_default_secret_key != SECURE_AUTH_KEY) )
	1123	$secret_key = SECURE_AUTH_KEY;
	1124
	1125	if ( defined('SECURE_AUTH_SALT') ) {
	1126	$salt = SECRET_AUTH_SALT;
	1127	} else {
	1128	$salt = get_option('secure_auth_salt');
	1129	if ( empty($salt) ) {
	1130	$salt = wp_generate_password();
	1131	update_option('secure_auth_salt', $salt);
	1132	}
	1133	}
	1134	} elseif ( 'logged_in' == $scheme ) {
	1135	if ( defined('LOGGED_IN_KEY') && ('' != LOGGED_IN_KEY) && ( $wp_default_secret_key != LOGGED_IN_KEY) )
	1136	$secret_key = LOGGED_IN_KEY;
	1137
	1138	if ( defined('LOGGED_IN_SALT') ) {
	1139	$salt = LOGGED_IN_SALT;
	1140	} else {
	1141	$salt = get_option('logged_in_salt');
	1142	if ( empty($salt) ) {
	1143	$salt = wp_generate_password();
	1144	update_option('logged_in_salt', $salt);
	1145	}
	1146	}
	1147	}
	1148
	1149	return apply_filters('salt', $secret_key . $salt, $scheme);
1098	1150	}
1099	1151	endif;
…	…
1109	1161	* @return string Hash of $data
1110	1162	*/
1111		function wp_hash($data) {
1112		$salt = wp_salt();
	1163	function wp_hash($data, $scheme = 'auth') {
	1164	$salt = wp_salt($scheme);
1113	1165
1114	1166	return hash_hmac('md5', $data, $salt);

trunk/wp-includes/user.php

r7742	r8069
1	1	<?php
2	2
3		function wp_signon( $credentials = '' ) {
	3	function wp_signon( $credentials = '', $secure_cookie = '' ) {
4	4	if ( empty($credentials) ) {
5	5	if ( ! empty($_POST['log']) )
…	…
22	22	do_action_ref_array('wp_authenticate', array(&$credentials['user_login'], &$credentials['user_password']));
23	23
	24	if ( '' === $secure_cookie )
	25	$secure_cookie = is_ssl() ? true : false;
	26
24	27	// If no credential info provided, check cookie.
25	28	if ( empty($credentials['user_login']) && empty($credentials['user_password']) ) {
…	…
28	31	return new WP_User($user);
29	32
30		if ( !empty($_COOKIE[AUTH_COOKIE]) )
	33	if ( $secure_cookie )
	34	$auth_cookie = SECURE_AUTH_COOKIE;
	35	else
	36	$auth_cookie = AUTH_COOKIE;
	37
	38	if ( !empty($_COOKIE[$auth_cookie]) )
31	39	return new WP_Error('expired_session', __('Please log in again.'));
32	40
…	…
49	57	return $user;
50	58
51		wp_set_auth_cookie($user->ID, $credentials['remember']);
	59	wp_set_auth_cookie($user->ID, $credentials['remember'], $secure_cookie);
52	60	do_action('wp_login', $credentials['user_login']);
53	61	return $user;

trunk/wp-login.php

r8061	r8069
11	11	/** Make sure that the WordPress bootstrap has ran before continuing. */
12	12	require( dirname(__FILE__) . '/wp-load.php' );
	13
	14	// Redirect to https login if forced to use SSL
	15	if ( (force_ssl_admin() \|\| force_ssl_login()) && !is_ssl() ) {
	16	if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
	17	wp_redirect(preg_replace('\|^http://\|', 'https://', $_SERVER['REQUEST_URI']));
	18	exit();
	19	} else {
	20	wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
	21	exit();
	22	}
	23	}
13	24
14	25	/**
…	…
138	149	$message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
139	150	$message .= __('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.') . "\r\n\r\n";
140		$message .= site_url("wp-login.php?action=rp&key=$key") . "\r\n";
	151	$message .= site_url("wp-login.php?action=rp&key=$key", 'login') . "\r\n";
141	152
142	153	if ( !wp_mail($user_email, sprintf(__('[%s] Password Reset'), get_option('blogname')), $message) )
…	…
175	186	$message = sprintf(__('Username: %s'), $user->user_login) . "\r\n";
176	187	$message .= sprintf(__('Password: %s'), $new_pass) . "\r\n";
177		$message .= site_url('wp-login.php') . "\r\n";
	188	$message .= site_url('wp-login.php', 'login') . "\r\n";
178	189
179	190	if ( !wp_mail($user->user_email, sprintf(__('[%s] Your new password'), get_option('blogname')), $message) )
…	…
313	324	<p id="nav">
314	325	<?php if (get_option('users_can_register')) : ?>
315		<a href="<?php echo site_url('wp-login.php', '~~forceable~~') ?>"><?php _e('Log in') ?></a> \|
316		<a href="<?php echo site_url('wp-login.php?action=register') ?>"><?php _e('Register') ?></a>
	326	<a href="<?php echo site_url('wp-login.php', 'login') ?>"><?php _e('Log in') ?></a> \|
	327	<a href="<?php echo site_url('wp-login.php?action=register', 'login') ?>"><?php _e('Register') ?></a>
317	328	<?php else : ?>
318		<a href="<?php echo site_url('wp-login.php', '~~forceable~~') ?>"><?php _e('Log in') ?></a>
	329	<a href="<?php echo site_url('wp-login.php', 'login') ?>"><?php _e('Log in') ?></a>
319	330	<?php endif; ?>
320	331	</p>
…	…
381	392
382	393	<p id="nav">
383		<a href="<?php echo site_url('wp-login.php', '~~forceable~~') ?>"><?php _e('Log in') ?></a> \|
384		<a href="<?php echo site_url('wp-login.php?action=lostpassword') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
	394	<a href="<?php echo site_url('wp-login.php', 'login') ?>"><?php _e('Log in') ?></a> \|
	395	<a href="<?php echo site_url('wp-login.php?action=lostpassword', 'login') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
385	396	</p>
386	397
…	…
396	407	case 'login' :
397	408	default:
398		~~$user = wp_signon();~~
399
400	409	if ( isset( $_REQUEST['redirect_to'] ) )
401	410	$redirect_to = $_REQUEST['redirect_to'];
402	411	else
403	412	$redirect_to = 'wp-admin/';
	413
	414	if ( is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) )
	415	$secure_cookie = false;
	416	else
	417	$secure_cookie = '';
	418
	419	$user = wp_signon('', $secure_cookie);
404	420
405	421	if ( !is_wp_error($user) ) {
…	…
455	471	<?php if ( isset($_GET['checkemail']) && in_array( $_GET['checkemail'], array('confirm', 'newpass') ) ) : ?>
456	472	<?php elseif (get_option('users_can_register')) : ?>
457		<a href="<?php echo site_url('wp-login.php?action=register') ?>"><?php _e('Register') ?></a> \|
458		<a href="<?php echo site_url('wp-login.php?action=lostpassword') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
	473	<a href="<?php echo site_url('wp-login.php?action=register', 'login') ?>"><?php _e('Register') ?></a> \|
	474	<a href="<?php echo site_url('wp-login.php?action=lostpassword', 'login') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
459	475	<?php else : ?>
460		<a href="<?php echo site_url('wp-login.php?action=lostpassword') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
	476	<a href="<?php echo site_url('wp-login.php?action=lostpassword', 'login') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
461	477	<?php endif; ?>
462	478	</p>

trunk/wp-settings.php

r8068	r8069
335	335	/**
336	336	* It is possible to define this in wp-config.php
	337	* @since 2.6
	338	*/
	339	if ( !defined('LOGGED_IN_COOKIE') )
	340	define('LOGGED_IN_COOKIE', 'wordpress_logged_in_' . COOKIEHASH);
	341
	342	/**
	343	* It is possible to define this in wp-config.php
337	344	* @since 2.3.0
338	345	*/
…	…
360	367	if ( !defined('COOKIE_DOMAIN') )
361	368	define('COOKIE_DOMAIN', false);
362
	369
	370	/**
	371	* It is possible to define this in wp-config.php
	372	* @since 2.6
	373	*/
	374	if ( !defined('FORCE_SSL_ADMIN') )
	375	define('FORCE_SSL_ADMIN', false);
	376	force_ssl_admin(FORCE_SSL_ADMIN);
	377
	378	/**
	379	* It is possible to define this in wp-config.php
	380	* @since 2.6
	381	*/
	382	if ( !defined('FORCE_SSL_LOGIN') )
	383	define('FORCE_SSL_LOGIN', false);
	384	force_ssl_login(FORCE_SSL_LOGIN);
	385
363	386	/**
364	387	* It is possible to define this in wp-config.php

Download in other formats: