Understanding some interactions between cookies, sessions, nonces, multisite...
David Anderson
2014-09-22 12:28:28 UTC
I just spent a *very* dull few hours tracing a problem, whereby
wp_create_nonce() returned a nonce which wp_verify_nonce() (running via
AJAX) did not accept.

This happened as follows:

1) the site was a sub-folder based multisite

2) the nonce was created by a page in the network dashboard, at
wp-admin/network/settings.php, and output in some JS on the settings page.

3) the ajaxurl JS variable being output by wp-admin/admin-header.php
goes via the main site which in this case lived at /main, and thus
ajaxurl was set to wp-admin/main/admin-ajax.url

4) The browser had a different wordpress_logged_in_(hex) cookie value
for /main than for /. i.e. Two separate cookies existed in the browser.
(The value of (hex) was the same - i.e. neither cookie lookup was empty).

5) This resulted in wp_get_session_token() returning a different value
when the nonce was checked (via AJAX, which got the cookie whose path
was set to /main) compared to when it was set (via the network dashboard
page, which got the cookie whose path was set to /).

I cleared all my cookies, and logged in via /wp-login.php again. Same
happened. Both cookies returned.

This site had this in its wp-config.php:

define('ADMIN_COOKIE_PATH', '/');
define('COOKIE_DOMAIN', '');
define('COOKIEPATH', '');
define('SITECOOKIEPATH', '');

After removing those lines, clearing cookies, and logging in again,
there was only one cookie, and everything worked.

This only breaks things on recent WP versions where
wp_get_session_token() is used in nonces.

I'm familiar with AJAX and nonces, but WP's login stuff is not something
I'm familiar with.
The questions I don't understand the answers too are:

1) Why my customer might have had those defines in his wp-config.php, and
2) Why this breaks things in this way, and
3) Is this a bug?

Best wishes,
UpdraftPlus - best WordPress backups - http://updraftplus.com
WordShell - WordPress fast from the CLI - http://wordshell.net