Skip to:
Content

bbPress.org

Opened 15 years ago

Closed 15 years ago

#1117 closed defect (bug) (fixed)

bb-settings.php does not preserve $bb->sitecookiepath

Reported by: junsuijin's profile junsuijin Owned by: junsuijin's profile junsuijin
Milestone: 1.0 Priority: high
Severity: major Version: 1.0-rc-2
Component: General - Integration Keywords: has-patch
Cc: junsuijin@…

Description

The problem here is that when the sitecookiepath and cookiepath are the same, there should not be 2 logged_in cookies set (looking at the code in bb-settings.php this seems the intention). However, $bb->sitecookiepath always gets the trailing / removed from it before setting the cookie, so this in practice does not happen, and causes WordPress integration to somewhat fail (unable to log in from bbPress and then out from WordPress in a situation where these two cookies should both be the same). In effect this means users logging in from bbP may think they've logged out if they do so from WP, because they are redirected to the logout page, and in some cases even logged out from WP, but never from bbP as well, thus posing a security risk for public kiosks.

Attachments (1)

1117.patch (611 bytes) - added by junsuijin 15 years ago.
very simple and tested with no problems

Download all attachments as: .zip

Change History (5)

@junsuijin
15 years ago

very simple and tested with no problems

#1 @junsuijin
15 years ago

  • Cc junsuijin@… added; junsuijin removed

#2 @junsuijin
15 years ago

As I just mentioned on the bbPress.org forum:
I tested a site with WP in the base folder and bbP in a subfolder of WP, and a site with WP in a subfolder of the base folder with bbP in a subfolder of WP. Neither site needs anything added to either config file (in terms of the suggestions from the admin pages), except that the 3 secret keys match between them (my nonce keys also match but that shouldn't matter). It is also necessary to fill in the wp-admin's bbPress Integration Plugin settings, and the bb-admin's WordPress Integration settings.

On any sites I've tested where I have WP in a subfolder of the base folder, and bbP in a subfolder of the WP folder, bbP sets 2 logged_in cookies, one with a trailing / and one without, which poses a problem since WP doesn't get rid of the one without a trailing / and thus WP cannot logout from bbP if the user logs in from bbP. After patching bb-settings.php with 1117.patch and testing it on both sites mentioned, and an additional site with WP in a subfolder of the base folder and bbP in a subfolder of WP, I found all sites integrating as expected and bbP would only set one logged_in cookie in all cases, as expected.

#3 @junsuijin
15 years ago

I suppose I should mention somewhere on here that I'm speaking about WordPress 2.8, and that this issue could potentially be resolved with the updated Integration Plugin, so I'll be sure to test this case when the plugin is released. :P

#4 @sambauers
15 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Fixed differently by [2192]

Note: See TracTickets for help on using tickets.