Align membership login cookies with WordPress logged in cookie

  • Resolved Antony Booker

    (@antonynz)


    1 year, 11 months ago

    There is an issue with the simple membership cookie and WordPress logged in cookie expiring at different times.

    For example if the “remember me” option isn’t selected in the login portal, the WordPress logged in cookies expire after the browser is closed but the simple membership cookies would stay active for another 2 days.

    This causes WP logged in code (such as when using is_user_logged_in) to show the user as logged out of WordPress but in fact the user will be logged into the membership side still. An example case would be to show a logged in button in the WP menu. The expired WP logged in cookie would cause the link to show a “Login” button despite the simple membership cookie saying they are still logged in.

    I’ve used the below code to get around this by expiring the simple membership cookies if the user isn’t logged into WP. It’s a little messy but stops the issue above and better aligns the cookies.

    // Remove membership cookies if not logged into WordPress
add_action('after_setup_theme','remove_membership_cookies');
function remove_membership_cookies(){
	if ( !is_user_logged_in() && isset($_COOKIE['simple_wp_membership_sec_' . COOKIEHASH ]) || !is_user_logged_in() && isset($_COOKIE['swpm_session'])  ) {
		unset($_COOKIE['simple_wp_membership_sec_' . COOKIEHASH ]);
		setcookie('simple_wp_membership_sec_' . COOKIEHASH, null, -1);
		unset($_COOKIE['swpm_session']);
		setcookie('swpm_session', null, -1);
	}

}

    I also noticed the simple membership plugin hardcodes the cookie times below to maybe try to match the default WordPress cookie expiry times. There is a auth_cookie_expiration filter to change this default so potentially these times could be different on different sites. 

    if ( $remember ) {
			$expiration = time() + 1209600; //14 days
			$expire     = $expiration + 43200; //12 hours grace period
		} else {
			$expiration = time() + 259200; //3 days.
			$expire     = $expiration; //The minimum cookie expiration should be at least a few days.
		}

    Ideally the simple membership cookie would expire when a user is logged out of WordPress or a cleaner solution would be to use the WordPress logged in cookie/functionality instead of separate cookies.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support mbrsolution

    (@mbrsolution)

    Hi, in regards to the remember me option please read the following forum post.

    https://simple-membership-plugin.com/forums/topic/wont-log-out-when-browser-is-closed/#post-13434

    Let me know if this helps you in any way.

    Kind regards.

    Thread Starter Antony Booker

    (@antonynz)

    Thanks for the reply. The page mentions the expiry times of the simple membership cookie in different scenarios but doesn’t address the issue when it expires at different times to the WordPress logged in cookie:

    2. If the “Remember Me” box is?not checked, the login cookie used by the plugin is given an expiration date of 3 days.

    In this case the WordPress cookie would be set to a session only and when the browser is closed the user would be logged out of WordPress, but still logged into the simple membership plugin.

    Perhaps the developers could set the expire time when remember me isn’t checked to a session cookie so it expires when the browser is closed?

    There would still possibly be an alignment issue with the default WP cookie, since the WordPress cookie expiry time can be changed from the default 14 days, as well as the plugin adding an additional 12 hour grace period.

    This could cause private/confidential details being leaked through cache pages too. i.e if logged out of WordPress and visiting a page with private details or restricted content the page would be cached, potentially allowing regular logged out visitors to access that content. Most page caching plugins will cache pages when the WP logged in cookie isn’t set. Setting a donotcache variable on key pages could be a good idea here.

    The Simple membership plugin does auto login the user if the WordPress cookies are valid so it’s only an issue if the WP cookies expire before the simple membership cookies do.

    Plugin Support mbrsolution

    (@mbrsolution)

    Hi, I understand what you mean. Currently that is how our plugin works with the cookie. However I have submitted a message to the developers to investigate further your request.

    Kind regards.

    Plugin Author wp.insider

    (@wpinsider-1)

    Thank you.

    We have a plan that at some point in the future, we want to have a settings option which will allow the plugin to work without using WP user entries at all. That way some users can choose to use that configuration if the want to. So we definitely want to keep a level of detachment from the WP user entries.

    With that said, I can make the following modifications which I believe should provide a solution to your current problem.

    The plugin has the following option in the “Advanced Settings” menu of the plugin.

    Force WP User Synchronization

    When this setting is enabled, it will match the cookie duration of the SWPM users to the WP user. Let me know if this will work for you.

    Also, if you need any new filters, you can make a suggestion

    The caching issue (if you are having any) should to be handled separately since different caching solutions can have different outcome. We have some suggestions as to what setup to use for some of the caching plugins that are listed here:

    https://simple-membership-plugin.com/simple-membership-documentation/#compatibility-with-other-plugins

    However, note that caching doesn’t only come from a WordPress plugin. many hosting providers will apply caching that needs to be investigated on a case-by-case basis to see what caching techniques are being used.

    Thread Starter Antony Booker

    (@antonynz)

    Thanks for the reply the Force user synchronization option seems to address the issue and logs out the user when the WP logged in cookie has expired. Bit of an odd set up I think that should be enabled by default to prevent caching conflicts.

    Plugin Author wp.insider

    (@wpinsider-1)

    There were some backwards compatibility items to take care of (due to how the plugin has evolved over time). In the new version we will check that option by default.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Align membership login cookies with WordPress logged in cookie’ is closed to new replies.