password-protected icon indicating copy to clipboard operation
password-protected copied to clipboard

Published 20 hours ago verified publisher icon wpexpertsio

Unset option prevented users from logging in

Open david-prv opened this issue 3 months ago • 0 comments

We noticed, that our users couldn't log in anymore using the correct password on the plugin's login page. Since it used to work before, ~~I suppose this happened after an update or so~~ (yes, indeed it was added here https://github.com/wpexpertsio/password-protected/commit/a42ebe84c39e69dd9ecf23f7f7d1d0612e316447).

We started to investigate and quickly noticed that the cookies were not set anymore after a user submitted the correct password. Thus, we debugged a bit and realized that set_auth_cookie wasn't working as expected. It strongly depends on the value of $use_transient, which is fetched here $use_transient = get_option( 'password_protected_use_transient', 'default' ).

After checking the settings page of the plugin we also noted that none of the "Advance Cache Fix" radio buttons was checked, leading to an empty option, thus get_option('password_protected_use_transient', 'default' ) results in an empty string (the fallback does not apply, since it's only used in case the option does not exist at all, compare get_option documentation).

Thus, we strongly recommend adding an additional check, that validates the return value of get_option inside of your set_auth_cookie function. Alternatively, add an catch-all option, if none of the expected values was found. Currently, if this option happens to be unset, the whole login mechanism breaks.

This could look as follows:

$use_transient = get_option( 'password_protected_use_transient', 'default' );
		
if ( '' === $use_transient ) $use_transient = 'default'; // <--- FIX
		
if ( 'default' === $use_transient ) {
	setcookie( $this->cookie_name(), $password_protected_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_password_protected_cookie, true );
	if ( COOKIEPATH != SITECOOKIEPATH ) {
		setcookie( $this->cookie_name(), $password_protected_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure_password_protected_cookie, true );
	}
}
		
if ( 'transient' === $use_transient ) {
	pp_set_transient( $this->cookie_name(), $password_protected_cookie, $expiration_time );
}
		
if ( 'something-else' === $use_transient ) {
	do_action(
		'password_protected_setting_set_cookie',
		$this->cookie_name(),
		$password_protected_cookie,
		$secure_password_protected_cookie,
		$expire
	);
}

david-prv avatar Nov 21 '24 12:11 david-prv