Introduce logged_in cookie. Deliver auth cookies only to wp-admin. see #7001

git-svn-id: http://svn.automattic.com/wordpress/trunk@8069 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2008-06-11 17:25:55 +00:00
parent b666a1c910
commit 6adcab8b27
8 changed files with 188 additions and 62 deletions

View File

@ -111,7 +111,7 @@ if ( ($is_gecko || $is_winIE) && strpos(strtolower($_SERVER['HTTP_USER_AGENT']),
<?php } ?>
<div id="user_info"><p><?php printf(__('Howdy, <a href="%1$s">%2$s</a>!'), 'profile.php', $user_identity) ?> | <a href="<?php echo site_url('wp-login.php?action=logout') ?>" title="<?php _e('Log Out') ?>"><?php _e('Log Out'); ?></a> | <?php _e('<a href="http://codex.wordpress.org/">Help</a>') ?> | <?php _e('<a href="http://wordpress.org/support/">Forums</a>') ?> | <?php if ( $gears_compat ) { ?><span id="gears-menu"><a href="#" onclick="wpGears.message(1);return false;"><?php _e('Speed up!') ?></a></span><?php } ?></p></div>
<div id="user_info"><p><?php printf(__('Howdy, <a href="%1$s">%2$s</a>!'), 'profile.php', $user_identity) ?> | <a href="<?php echo site_url('wp-login.php?action=logout', 'login') ?>" title="<?php _e('Log Out') ?>"><?php _e('Log Out'); ?></a> | <?php _e('<a href="http://codex.wordpress.org/">Help</a>') ?> | <?php _e('<a href="http://wordpress.org/support/">Forums</a>') ?> | <?php if ( $gears_compat ) { ?><span id="gears-menu"><a href="#" onclick="wpGears.message(1);return false;"><?php _e('Speed up!') ?></a></span><?php } ?></p></div>
<?php
require(ABSPATH . 'wp-admin/menu-header.php');

View File

@ -1768,4 +1768,29 @@ function validate_file( $file, $allowed_files = '' ) {
function is_ssl() {
return ( 'on' == strtolower($_SERVER['HTTPS']) ) ? true : false;
}
function force_ssl_login($force = '') {
static $forced;
if ( '' != $force ) {
$old_forcded = $forced;
$forced = $force;
return $old_forced;
}
return $forced;
}
function force_ssl_admin($force = '') {
static $forced;
if ( '' != $force ) {
$old_forcded = $forced;
$forced = $force;
return $old_forced;
}
return $forced;
}
?>

View File

@ -33,9 +33,9 @@ function get_sidebar( $name = null ) {
function wp_loginout() {
if ( ! is_user_logged_in() )
$link = '<a href="' . site_url('wp-login.php', 'forceable') . '">' . __('Log in') . '</a>';
$link = '<a href="' . site_url('wp-login.php', 'login') . '">' . __('Log in') . '</a>';
else
$link = '<a href="' . site_url('wp-login.php?action=logout', 'forceable') . '">' . __('Log out') . '</a>';
$link = '<a href="' . site_url('wp-login.php?action=logout', 'login') . '">' . __('Log out') . '</a>';
echo apply_filters('loginout', $link);
}
@ -45,7 +45,7 @@ function wp_register( $before = '<li>', $after = '</li>' ) {
if ( ! is_user_logged_in() ) {
if ( get_option('users_can_register') )
$link = $before . '<a href="' . site_url('wp-login.php?action=register', 'forceable') . '">' . __('Register') . '</a>' . $after;
$link = $before . '<a href="' . site_url('wp-login.php?action=register', 'login') . '">' . __('Register') . '</a>' . $after;
else
$link = '';
} else {

View File

@ -780,7 +780,9 @@ function get_shortcut_link() {
function site_url($path = '', $scheme = null) {
// should the list of allowed schemes be maintained elsewhere?
if ( !in_array($scheme, array('http', 'https')) ) {
if ( ('forceable' == $scheme) && (defined('FORCE_SSL_LOGIN') && FORCE_SSL_LOGIN) )
if ( ('login' == $scheme) && ( force_ssl_login() || force_ssl_admin() ) )
$scheme = 'https';
elseif ( ('admin' == $scheme) && force_ssl_admin() )
$scheme = 'https';
else
$scheme = ( is_ssl() ? 'https' : 'http' );
@ -797,7 +799,7 @@ function site_url($path = '', $scheme = null) {
function admin_url($path = '') {
global $_wp_admin_url;
$url = site_url('wp-admin/', 'forceable');
$url = site_url('wp-admin/', 'admin');
if ( !empty($path) && is_string($path) && strpos($path, '..') === false )
$url .= ltrim($path, '/');

View File

@ -100,8 +100,10 @@ function get_currentuserinfo() {
return;
if ( ! $user = wp_validate_auth_cookie() ) {
wp_set_current_user(0);
return false;
if ( empty($_COOKIE[LOGGED_IN_COOKIE]) || !$user = wp_validate_auth_cookie($_COOKIE[LOGGED_IN_COOKIE], 'logged_in') ) {
wp_set_current_user(0);
return false;
}
}
wp_set_current_user($user);
@ -465,14 +467,18 @@ if ( !function_exists('wp_validate_auth_cookie') ) :
* @since 2.5
*
* @param string $cookie Optional. If used, will validate contents instead of cookie's
* @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
* @return bool|int False if invalid cookie, User ID if valid.
*/
function wp_validate_auth_cookie($cookie = '') {
function wp_validate_auth_cookie($cookie = '', $scheme = 'auth') {
if ( empty($cookie) ) {
if ( is_ssl() )
if ( is_ssl() ) {
$cookie_name = SECURE_AUTH_COOKIE;
else
$scheme = 'secure_auth';
} else {
$cookie_name = AUTH_COOKIE;
$scheme = 'auth';
}
if ( empty($_COOKIE[$cookie_name]) )
return false;
@ -495,7 +501,7 @@ function wp_validate_auth_cookie($cookie = '') {
if ( $expired < time() )
return false;
$key = wp_hash($username . '|' . $expiration);
$key = wp_hash($username . '|' . $expiration, $scheme);
$hash = hash_hmac('md5', $username . '|' . $expiration, $key);
if ( $hmac != $hash )
@ -519,18 +525,18 @@ if ( !function_exists('wp_generate_auth_cookie') ) :
*
* @param int $user_id User ID
* @param int $expiration Cookie expiration in seconds
* @param bool $secure Whether the cookie is for https delivery only or not. Not used by default. For plugin use.
* @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
* @return string Authentication cookie contents
*/
function wp_generate_auth_cookie($user_id, $expiration, $secure = false) {
function wp_generate_auth_cookie($user_id, $expiration, $scheme = 'auth') {
$user = get_userdata($user_id);
$key = wp_hash($user->user_login . '|' . $expiration);
$key = wp_hash($user->user_login . '|' . $expiration, $scheme);
$hash = hash_hmac('md5', $user->user_login . '|' . $expiration, $key);
$cookie = $user->user_login . '|' . $expiration . '|' . $hash;
return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $secure);
return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $scheme);
}
endif;
@ -548,7 +554,7 @@ if ( !function_exists('wp_set_auth_cookie') ) :
* @param int $user_id User ID
* @param bool $remember Whether to remember the user or not
*/
function wp_set_auth_cookie($user_id, $remember = false) {
function wp_set_auth_cookie($user_id, $remember = false, $secure = '') {
if ( $remember ) {
$expiration = $expire = time() + 1209600;
} else {
@ -556,21 +562,27 @@ function wp_set_auth_cookie($user_id, $remember = false) {
$expire = 0;
}
if ( is_ssl() ) {
$secure = true;
$cookie_name = SECURE_AUTH_COOKIE;
if ( '' === $secure )
$secure = is_ssl() ? true : false;
if ( $secure ) {
$auth_cookie_name = SECURE_AUTH_COOKIE;
$scheme = 'secure_auth';
} else {
$secure = false;
$cookie_name = AUTH_COOKIE;
$auth_cookie_name = AUTH_COOKIE;
$scheme = 'auth';
}
$cookie = wp_generate_auth_cookie($user_id, $expiration, $secure);
$auth_cookie = wp_generate_auth_cookie($user_id, $expiration, $scheme);
$logged_in_cookie = wp_generate_auth_cookie($user_id, $expiration, 'logged_in');
do_action('set_auth_cookie', $cookie, $expire, $secure);
do_action('set_auth_cookie', $auth_cookie, $expire, $scheme);
do_action('set_auth_cookie', $logged_in_cookie, $expire, 'logged_in');
setcookie($cookie_name, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure);
setcookie($auth_cookie_name, $auth_cookie, $expire, SITECOOKIEPATH . 'wp-admin', COOKIE_DOMAIN, $secure);
setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN);
if ( COOKIEPATH != SITECOOKIEPATH )
setcookie($cookie_name, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure);
setcookie(LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN);
}
endif;
@ -581,10 +593,12 @@ if ( !function_exists('wp_clear_auth_cookie') ) :
* @since 2.5
*/
function wp_clear_auth_cookie() {
setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH . 'wp-admin', COOKIE_DOMAIN);
setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
setcookie(LOGGED_IN_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
// Old cookies
setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
@ -621,15 +635,15 @@ if ( !function_exists('auth_redirect') ) :
function auth_redirect() {
// Checks if a user is logged in, if not redirects them to the login page
if ( is_ssl() || (defined('FORCE_SSL_LOGIN') && FORCE_SSL_LOGIN) )
if ( is_ssl() || force_ssl_admin() )
$secure = true;
else
$secure = false;
// If https is required and request is http, redirect
if ( $secure && !is_ssl() ) {
if ( false !== strpos($_SERVER['REQUEST_URI'], 'http') ) {
wp_redirect(str_replace('http://', 'https://', $_SERVER['REQUEST_URI']));
if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']));
exit();
} else {
wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
@ -643,7 +657,12 @@ function auth_redirect() {
// The cookie is no good so force login
nocache_headers();
$login_url = site_url( 'wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']), 'forceable' );
if ( is_ssl() )
$proto = 'https://';
else
$proto = 'http://';
$login_url = site_url( 'wp-login.php?redirect_to=' . urlencode($proto . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']), 'login' );
wp_redirect($login_url);
exit();
@ -971,7 +990,7 @@ function wp_new_user_notification($user_id, $plaintext_pass = '') {
$message = sprintf(__('Username: %s'), $user_login) . "\r\n";
$message .= sprintf(__('Password: %s'), $plaintext_pass) . "\r\n";
$message .= site_url("wp-login.php", 'forceable') . "\r\n";
$message .= site_url("wp-login.php", 'login') . "\r\n";
wp_mail($user_email, sprintf(__('[%s] Your username and password'), get_option('blogname')), $message);
@ -1078,23 +1097,56 @@ if ( !function_exists('wp_salt') ) :
*
* @return string Salt value from either 'SECRET_KEY' or 'secret' option
*/
function wp_salt() {
function wp_salt($scheme = 'auth') {
global $wp_default_secret_key;
$secret_key = '';
if ( defined('SECRET_KEY') && ('' != SECRET_KEY) && ( $wp_default_secret_key != SECRET_KEY) )
$secret_key = SECRET_KEY;
if ( defined('SECRET_SALT') ) {
$salt = SECRET_SALT;
} else {
$salt = get_option('secret');
if ( empty($salt) ) {
$salt = wp_generate_password();
update_option('secret', $salt);
if ( 'auth' == $scheme ) {
if ( defined('AUTH_KEY') && ('' != AUTH_KEY) && ( $wp_default_secret_key != AUTH_KEY) )
$secret_key = AUTH_KEY;
if ( defined('AUTH_SALT') ) {
$salt = AUTH_SALT;
} elseif ( defined('SECRET_SALT') ) {
$salt = SECRET_SALT;
} else {
$salt = get_option('auth_salt');
if ( empty($salt) ) {
$salt = wp_generate_password();
update_option('auth_salt', $salt);
}
}
} elseif ( 'secure_auth' == $scheme ) {
if ( defined('SECURE_AUTH_KEY') && ('' != SECURE_AUTH_KEY) && ( $wp_default_secret_key != SECURE_AUTH_KEY) )
$secret_key = SECURE_AUTH_KEY;
if ( defined('SECURE_AUTH_SALT') ) {
$salt = SECRET_AUTH_SALT;
} else {
$salt = get_option('secure_auth_salt');
if ( empty($salt) ) {
$salt = wp_generate_password();
update_option('secure_auth_salt', $salt);
}
}
} elseif ( 'logged_in' == $scheme ) {
if ( defined('LOGGED_IN_KEY') && ('' != LOGGED_IN_KEY) && ( $wp_default_secret_key != LOGGED_IN_KEY) )
$secret_key = LOGGED_IN_KEY;
if ( defined('LOGGED_IN_SALT') ) {
$salt = LOGGED_IN_SALT;
} else {
$salt = get_option('logged_in_salt');
if ( empty($salt) ) {
$salt = wp_generate_password();
update_option('logged_in_salt', $salt);
}
}
}
return apply_filters('salt', $secret_key . $salt);
return apply_filters('salt', $secret_key . $salt, $scheme);
}
endif;
@ -1108,8 +1160,8 @@ if ( !function_exists('wp_hash') ) :
* @param string $data Plain text to hash
* @return string Hash of $data
*/
function wp_hash($data) {
$salt = wp_salt();
function wp_hash($data, $scheme = 'auth') {
$salt = wp_salt($scheme);
return hash_hmac('md5', $data, $salt);
}

View File

@ -1,6 +1,6 @@
<?php
function wp_signon( $credentials = '' ) {
function wp_signon( $credentials = '', $secure_cookie = '' ) {
if ( empty($credentials) ) {
if ( ! empty($_POST['log']) )
$credentials['user_login'] = $_POST['log'];
@ -21,13 +21,21 @@ function wp_signon( $credentials = '' ) {
do_action_ref_array('wp_authenticate', array(&$credentials['user_login'], &$credentials['user_password']));
if ( '' === $secure_cookie )
$secure_cookie = is_ssl() ? true : false;
// If no credential info provided, check cookie.
if ( empty($credentials['user_login']) && empty($credentials['user_password']) ) {
$user = wp_validate_auth_cookie();
if ( $user )
return new WP_User($user);
if ( !empty($_COOKIE[AUTH_COOKIE]) )
if ( $secure_cookie )
$auth_cookie = SECURE_AUTH_COOKIE;
else
$auth_cookie = AUTH_COOKIE;
if ( !empty($_COOKIE[$auth_cookie]) )
return new WP_Error('expired_session', __('Please log in again.'));
// If the cookie is not set, be silent.
@ -48,7 +56,7 @@ function wp_signon( $credentials = '' ) {
if ( is_wp_error($user) )
return $user;
wp_set_auth_cookie($user->ID, $credentials['remember']);
wp_set_auth_cookie($user->ID, $credentials['remember'], $secure_cookie);
do_action('wp_login', $credentials['user_login']);
return $user;
}

View File

@ -11,6 +11,17 @@
/** Make sure that the WordPress bootstrap has ran before continuing. */
require( dirname(__FILE__) . '/wp-load.php' );
// Redirect to https login if forced to use SSL
if ( (force_ssl_admin() || force_ssl_login()) && !is_ssl() ) {
if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']));
exit();
} else {
wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
exit();
}
}
/**
* login_header() - Outputs the header for the login page
*
@ -137,7 +148,7 @@ function retrieve_password() {
$message .= get_option('siteurl') . "\r\n\r\n";
$message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
$message .= __('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.') . "\r\n\r\n";
$message .= site_url("wp-login.php?action=rp&key=$key") . "\r\n";
$message .= site_url("wp-login.php?action=rp&key=$key", 'login') . "\r\n";
if ( !wp_mail($user_email, sprintf(__('[%s] Password Reset'), get_option('blogname')), $message) )
die('<p>' . __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') . '</p>');
@ -174,7 +185,7 @@ function reset_password($key) {
wp_set_password($new_pass, $user->ID);
$message = sprintf(__('Username: %s'), $user->user_login) . "\r\n";
$message .= sprintf(__('Password: %s'), $new_pass) . "\r\n";
$message .= site_url('wp-login.php') . "\r\n";
$message .= site_url('wp-login.php', 'login') . "\r\n";
if ( !wp_mail($user->user_email, sprintf(__('[%s] Your new password'), get_option('blogname')), $message) )
die('<p>' . __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') . '</p>');
@ -312,10 +323,10 @@ case 'retrievepassword' :
<p id="nav">
<?php if (get_option('users_can_register')) : ?>
<a href="<?php echo site_url('wp-login.php', 'forceable') ?>"><?php _e('Log in') ?></a> |
<a href="<?php echo site_url('wp-login.php?action=register') ?>"><?php _e('Register') ?></a>
<a href="<?php echo site_url('wp-login.php', 'login') ?>"><?php _e('Log in') ?></a> |
<a href="<?php echo site_url('wp-login.php?action=register', 'login') ?>"><?php _e('Register') ?></a>
<?php else : ?>
<a href="<?php echo site_url('wp-login.php', 'forceable') ?>"><?php _e('Log in') ?></a>
<a href="<?php echo site_url('wp-login.php', 'login') ?>"><?php _e('Log in') ?></a>
<?php endif; ?>
</p>
@ -380,8 +391,8 @@ case 'register' :
</form>
<p id="nav">
<a href="<?php echo site_url('wp-login.php', 'forceable') ?>"><?php _e('Log in') ?></a> |
<a href="<?php echo site_url('wp-login.php?action=lostpassword') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
<a href="<?php echo site_url('wp-login.php', 'login') ?>"><?php _e('Log in') ?></a> |
<a href="<?php echo site_url('wp-login.php?action=lostpassword', 'login') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
</p>
</div>
@ -395,13 +406,18 @@ break;
case 'login' :
default:
$user = wp_signon();
if ( isset( $_REQUEST['redirect_to'] ) )
$redirect_to = $_REQUEST['redirect_to'];
else
$redirect_to = 'wp-admin/';
if ( is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) )
$secure_cookie = false;
else
$secure_cookie = '';
$user = wp_signon('', $secure_cookie);
if ( !is_wp_error($user) ) {
// If the user can't edit posts, send them to their profile.
if ( !$user->has_cap('edit_posts') && ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' ) )
@ -454,10 +470,10 @@ default:
<p id="nav">
<?php if ( isset($_GET['checkemail']) && in_array( $_GET['checkemail'], array('confirm', 'newpass') ) ) : ?>
<?php elseif (get_option('users_can_register')) : ?>
<a href="<?php echo site_url('wp-login.php?action=register') ?>"><?php _e('Register') ?></a> |
<a href="<?php echo site_url('wp-login.php?action=lostpassword') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
<a href="<?php echo site_url('wp-login.php?action=register', 'login') ?>"><?php _e('Register') ?></a> |
<a href="<?php echo site_url('wp-login.php?action=lostpassword', 'login') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
<?php else : ?>
<a href="<?php echo site_url('wp-login.php?action=lostpassword') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
<a href="<?php echo site_url('wp-login.php?action=lostpassword', 'login') ?>" title="<?php _e('Password Lost and Found') ?>"><?php _e('Lost your password?') ?></a>
<?php endif; ?>
</p>

View File

@ -332,6 +332,13 @@ if ( !defined('AUTH_COOKIE') )
if ( !defined('SECURE_AUTH_COOKIE') )
define('SECURE_AUTH_COOKIE', 'wordpress_sec_' . COOKIEHASH);
/**
* It is possible to define this in wp-config.php
* @since 2.6
*/
if ( !defined('LOGGED_IN_COOKIE') )
define('LOGGED_IN_COOKIE', 'wordpress_logged_in_' . COOKIEHASH);
/**
* It is possible to define this in wp-config.php
* @since 2.3.0
@ -359,7 +366,23 @@ if ( !defined('SITECOOKIEPATH') )
*/
if ( !defined('COOKIE_DOMAIN') )
define('COOKIE_DOMAIN', false);
/**
* It is possible to define this in wp-config.php
* @since 2.6
*/
if ( !defined('FORCE_SSL_ADMIN') )
define('FORCE_SSL_ADMIN', false);
force_ssl_admin(FORCE_SSL_ADMIN);
/**
* It is possible to define this in wp-config.php
* @since 2.6
*/
if ( !defined('FORCE_SSL_LOGIN') )
define('FORCE_SSL_LOGIN', false);
force_ssl_login(FORCE_SSL_LOGIN);
/**
* It is possible to define this in wp-config.php
* @since 2.5.0