Cross-domain WordPress cookies not set or recognized correctly, leading to authentication confusion #47
Description
Problem
Cross-domain cookies are not being set or acted upon correctly in some circumstances.
- If you log in at
hcommons.org, thewordpress_*cookies (WordPress auth cookies) are set for the domain.hcommons.org(wildcard for hcommons and networks). - If you log in at
up.hcommons.org, thewordpress_*cookies are set for.up.hcommons.org(wildcard for sites on the up network only).
As a result, logging into up.hcommons.org does not issue WordPress cookies valid for other subdomains.
Issue
On the hcommons site, additional cookies (e.g., SimpleSAMLAuthToken, SimpleSAMLSessionIDCommons, _saml_idp) are set that specify an active SAML IDP session. The system perceives the user as logged in due to these, but absent the required wordpress_* cookies, the user is redirected to the WordPress login page. The login form itself is present but hidden, which may be confusing.
Summary of observed behaviour:
- Session cookies (SimpleSAML) indicate an active session.
- Missing
wordpress_*cookies leads to redirection to the (hidden) login page. - Users perceive this as an error or are unsure of their authentication state.
Impact
- Users may become confused or stuck in a login loop, especially when working across subdomains or networks.
- Authentication state is unclear.
Suggestions
- Review cookie domain settings for WordPress auth to ensure correct propagation/availability across necessary subdomains.
- Reconsider logic for redirecting users when SAML tokens are present but WordPress cookies are not.
- Improve user messaging/UI for this edge case if redirect cannot be elegantly handled.