wordpress_logged_in_HASH

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

wordpress_logged_in_HASH

Haluk Karamete
document.cookie does not report/contain the wordpress cookie starting with
the prefix "wordpress_logged_in_" followed by a hash.

This is most likely, it is an httpOnly cookie.
But it surely shows up on the chrome->dev-console->resources->cookies

Is there a JavaScript way to know whether that cookie is there or not?

It would be there, it the user logged in, and if would not be there, if the
user logged out, or that cookie has expired.

If document.cookie reported all the names of the cookie, this would not
have been an issue.
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: wordpress_logged_in_HASH

Nikola Nikolov
Well, I believe that there's a reason why some cookies are httpOnly and not
accessible via JavaScript(security comes to mind?).

A way around this would be to add some other flag within your DOM or
otherwise JS-accessible that the current visitor is a logged-in user. Not
sure if it's WordPress that does that, but with Twenty Fourteen, the body
gets a class of "logged-in" so you can easily check that. Alternatively you
can either hook to 'wp_head' or 'wp_footer' and render your own <script>
tag with a variable in it, or you can use wp_localize_script() to again
pass something from PHP to JS.

The browser shows you the cookies, because it's the browser and it has
control of everything(plus it has to take those cookies to the server with
every request, right?). The specifications don't allow JavaScript to access
httpOnly cookies and I don't think anyone would build a browser that
doesn't follow that specification.

On Tue, 16 Feb 2016 at 06:24 Haluk Karamete <[hidden email]> wrote:

> document.cookie does not report/contain the wordpress cookie starting with
> the prefix "wordpress_logged_in_" followed by a hash.
>
> This is most likely, it is an httpOnly cookie.
> But it surely shows up on the chrome->dev-console->resources->cookies
>
> Is there a JavaScript way to know whether that cookie is there or not?
>
> It would be there, it the user logged in, and if would not be there, if the
> user logged out, or that cookie has expired.
>
> If document.cookie reported all the names of the cookie, this would not
> have been an issue.
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: wordpress_logged_in_HASH

Haluk Karamete
Thanks Nikola.

On Tue, Feb 16, 2016 at 1:43 AM, Nikola Nikolov <[hidden email]>
wrote:

> Well, I believe that there's a reason why some cookies are httpOnly and not
> accessible via JavaScript(security comes to mind?).
>
> A way around this would be to add some other flag within your DOM or
> otherwise JS-accessible that the current visitor is a logged-in user. Not
> sure if it's WordPress that does that, but with Twenty Fourteen, the body
> gets a class of "logged-in" so you can easily check that. Alternatively you
> can either hook to 'wp_head' or 'wp_footer' and render your own <script>
> tag with a variable in it, or you can use wp_localize_script() to again
> pass something from PHP to JS.
>
> The browser shows you the cookies, because it's the browser and it has
> control of everything(plus it has to take those cookies to the server with
> every request, right?). The specifications don't allow JavaScript to access
> httpOnly cookies and I don't think anyone would build a browser that
> doesn't follow that specification.
>
> On Tue, 16 Feb 2016 at 06:24 Haluk Karamete <[hidden email]>
> wrote:
>
> > document.cookie does not report/contain the wordpress cookie starting
> with
> > the prefix "wordpress_logged_in_" followed by a hash.
> >
> > This is most likely, it is an httpOnly cookie.
> > But it surely shows up on the chrome->dev-console->resources->cookies
> >
> > Is there a JavaScript way to know whether that cookie is there or not?
> >
> > It would be there, it the user logged in, and if would not be there, if
> the
> > user logged out, or that cookie has expired.
> >
> > If document.cookie reported all the names of the cookie, this would not
> > have been an issue.
> > _______________________________________________
> > wp-hackers mailing list
> > [hidden email]
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers