Ticket #2039 (closed defect: fixed)

Opened 3 years ago

Last modified 1 year ago

Wordpress fails silently when cookies are disabled

Reported by: sjmurdoch Assigned to: westi
Priority: normal Milestone: 2.3
Component: General Version: 2.0
Severity: major Keywords: has-patch
Cc: sjmurdoch

Description

If a user has disabled cookies then on logging in the user is returned to the login page without any error message being displayed.

Wordpress should preferably be able to work with cookies disabled, but at the very least should display an understandable error message when the user has done this.

Steps to reproduce:

  1. Disable accepting cookies in web browser
  2. Go to http://<wordpress>/wp-login.php
  3. Enter valid login username and password
  4. Click "Login >>"
  5. User is returned to wp-login.php without error message
  • Version tested: wordpress-2.0-RC1
  • PHP version: 4.1.2-7.woody5
  • Operating system: Debian GNU/Linux 3.0

Attachments

2039.diff (1.6 kB) - added by wendel279 on 02/07/06 07:00:47.
JavaScript? to notify user onLoad
2039b.diff (1.1 kB) - added by Nazgul on 10/06/06 01:35:27.
login-test-cookie-r5735.patch (1.5 kB) - added by tellyworth on 06/20/07 02:39:56.
2039.refreshed.diff (1.5 kB) - added by westi on 09/01/07 10:07:26.
Refreshed patch

Change History

12/08/05 19:25:57 changed by sjmurdoch

  • component changed from Administration to General.
  • severity changed from normal to major.

12/09/05 11:45:14 changed by sjmurdoch

  • cc set to wptrac+Steven.Murdoch@cl.cam.ac.uk.

12/10/05 17:27:31 changed by sjmurdoch

  • cc changed from wptrac+Steven.Murdoch@cl.cam.ac.uk to sjmurdoch.

02/07/06 07:00:47 changed by wendel279

  • attachment 2039.diff added.

JavaScript? to notify user onLoad

02/07/06 07:03:12 changed by wendel279

I figured a message informing the user that their cookies are disabled onLoad would work. What do you think?

02/07/06 10:08:19 changed by markjaquith

Good idea, but the patch needs some serious work in terms of grammer and XHTML validity.

02/08/06 12:24:16 changed by sjmurdoch

I am not sure if Javascript is the right way to go, since there is a good chance that people paranoid enough to turn off cookies will have turned off Javascript too.

The scheme I have used in the past was suggested in CGI Programming with Perl, and it doesn't rely on Javascript.

The login page checks for a cookie. If it is present, great, otherwise it sets a cookie then redirects to a cookie test page. If the cookie is set, it redirects back to the login page, otherwise it displays an error message. The book recommends that the redirection URL be an absolute path to avoid the webserver ignoring it.

10/05/06 23:46:55 changed by Nazgul

  • keywords set to dev-feedback.

Do we actually need to determine this programmatically or would a fixed footnote on the login page stating "requires cookies" be sufficient?

10/06/06 00:34:40 changed by sjmurdoch

@Nazgul

For usability reasons, yes I think this should be caught programatically. Otherwise there is an extra message to read for the users who have cookies enabled. For those who do not, a static footnote could be easily missed, whereas a big error message would be clear.

10/06/06 01:35:27 changed by Nazgul

  • attachment 2039b.diff added.

10/06/06 01:36:39 changed by Nazgul

  • milestone set to 2.1.

First stab at a patch. Please shoot at it.

10/28/06 17:17:46 changed by Nazgul

  • owner changed from anonymous to Nazgul.
  • status changed from new to assigned.

11/29/06 23:12:37 changed by matt

  • milestone changed from 2.1 to 2.2.

03/27/07 18:49:10 changed by foolswisdom

  • milestone changed from 2.2 to 2.3.

05/15/07 21:27:08 changed by rob1n

  • owner changed from Nazgul to rob1n.
  • status changed from assigned to new.

05/15/07 23:41:36 changed by rob1n

  • keywords deleted.
  • milestone changed from 2.3 to 2.4.

06/14/07 02:44:49 changed by rob1n

  • milestone changed from 2.4 (future) to 2.3 (trunk).

06/14/07 02:44:52 changed by rob1n

  • status changed from new to assigned.

06/20/07 02:39:56 changed by tellyworth

  • attachment login-test-cookie-r5735.patch added.

06/20/07 02:41:03 changed by tellyworth

login-test-cookie-r5735.patch takes a simpler server-side approach. Instead of a redirect, a test cookie is sent when the login form is displayed, and checked when the POST is processed.

06/20/07 05:17:26 changed by foolswisdom

  • keywords set to has-patch.

06/22/07 18:09:26 changed by nbachiyski

I like the server-side approach more, but do we need to use as test content the password cookie? Isn't just a "test" enough?

09/01/07 10:07:26 changed by westi

  • attachment 2039.refreshed.diff added.

Refreshed patch

09/01/07 10:08:20 changed by westi

  • owner changed from rob1n to westi.
  • status changed from assigned to new.

I have updated the patch to address the concerns.

Test cookie is no-loger the password hash

I have also changed the error message to be more informative.

09/02/07 17:17:43 changed by westi

Ok. I've slept on this and I think it should go in.

If people have issues with the error message then raise a new ticket to get it changed ;-)

09/02/07 17:20:38 changed by westi

  • status changed from new to closed.
  • resolution set to fixed.

(In [6009]) Inform the user when cookies are disabled and login fails. Fixed #2039 props tellyworth.