Skip to content

Cross-domain WordPress cookies not set or recognized correctly, leading to authentication confusion #47

@MartinPaulEve

Description

@MartinPaulEve

Problem

Cross-domain cookies are not being set or acted upon correctly in some circumstances.

  • If you log in at hcommons.org, the wordpress_* cookies (WordPress auth cookies) are set for the domain .hcommons.org (wildcard for hcommons and networks).
  • If you log in at up.hcommons.org, the wordpress_* cookies are set for .up.hcommons.org (wildcard for sites on the up network only).

As a result, logging into up.hcommons.org does not issue WordPress cookies valid for other subdomains.

Issue

On the hcommons site, additional cookies (e.g., SimpleSAMLAuthToken, SimpleSAMLSessionIDCommons, _saml_idp) are set that specify an active SAML IDP session. The system perceives the user as logged in due to these, but absent the required wordpress_* cookies, the user is redirected to the WordPress login page. The login form itself is present but hidden, which may be confusing.

Summary of observed behaviour:

  • Session cookies (SimpleSAML) indicate an active session.
  • Missing wordpress_* cookies leads to redirection to the (hidden) login page.
  • Users perceive this as an error or are unsure of their authentication state.

Impact

  • Users may become confused or stuck in a login loop, especially when working across subdomains or networks.
  • Authentication state is unclear.

Suggestions

  • Review cookie domain settings for WordPress auth to ensure correct propagation/availability across necessary subdomains.
  • Reconsider logic for redirecting users when SAML tokens are present but WordPress cookies are not.
  • Improve user messaging/UI for this edge case if redirect cannot be elegantly handled.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions