Modifying generate_auth_cookie() ?

  • Resolved porosi

    (@porosi)


    5 years ago

    Hi Ali,

    Love the plugin. I just had a question regarding modifying generate_auth_cookie().

    I noticed that generate_auth_cookie() returns only a single cookie (wordpress_logged_in[hash]) and that single cookie does enable a login into the site, but we also needed the other two cookies that a standard wordpress login produces (wordpress_[hash] – domain: /wp-admin and wordpress_[hash] – domain: /wp-content/plugins) so that the user can use those cookies to navigate to the admin page.

    Without the wordpress_[hash] – domain: /wp-admin cookie, the user gets logged out when attempting to visit the admin pages.

    So we added:
    “$cookie_auth = wp_generate_auth_cookie($user->ID, $expiration, ‘secure_auth’);”
    to the generate_auth_cookie(), and with the ‘$cookie_auth’ variable we can obtain the value needed for the wordpress_[hash] – domain: /wp-admin cookie and keep the admin logged in.

    So, my question is, do you think making this modification will expose our code to some additional security vulnerabilities? Would placing this extra cookie on the user’s browser would lead to some additional security risk?

    I thank you in advance for your response.

    • This topic was modified 5 years ago by porosi.
    • This topic was modified 5 years ago by porosi.
Viewing 2 replies - 1 through 2 (of 2 total)
  • richardhaynes

    (@richardhaynes)

    I need this too, thanks for posting Peter, it would be good to see this in the plugin itself so things don’t break if we update the plugin.

    Plugin Author Ali Qureshi

    (@parorrey)

    It won’t create any issue, I will make it part of the plugin code in next update,

    thanks for asking and posting it.

    And sorry for replying late, WordPress forum notification are not working recently.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Modifying generate_auth_cookie() ?’ is closed to new replies.