Reuse existing session token when refreshing sessions #948
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -579,12 +579,37 @@ public function onShutdown(): void | |
| if ('false' !== $this->getPlugin()->getOption('sessions', 'rolling_sessions')) { | ||
| $store = $this->getSdk()->configuration()->getSessionStorage(); | ||
|
|
||
| if ($store instanceof CookieStore) { | ||
| $store->setState(true); | ||
| } | ||
|
|
||
| // Extend the existing session token's expiry and reissue the browser cookies. | ||
| // | ||
| // The naive approach — calling wp_set_auth_cookie() with no token — rotates the | ||
| // session token. Because nonces are cryptographically bound to the session token, | ||
| // any nonce generated during the current request (with the old token) becomes | ||
| // invalid the moment the new cookie is sent, causing REST requests to fail with | ||
| // rest_cookie_invalid_nonce. | ||
| // | ||
| // wp_set_auth_cookie() accepts a $token argument. Passing the existing token | ||
| // reissues the browser cookies with a fresh expiration without rotating the token, | ||
| // so nonces remain valid and the full rolling-session behaviour is preserved. | ||
| $userId = get_current_user_id(); | ||
| $token = wp_get_session_token(); | ||
|
|
||
| if ('' !== $token) { | ||
| /** This filter is documented in wp-includes/pluggable.php */ | ||
| $expiration = apply_filters('auth_cookie_expiration', 14 * DAY_IN_SECONDS, $userId, true); | ||
|
|
||
| // Update the server-side session record (wp_set_auth_cookie does not do this | ||
| // when a token is supplied). | ||
| \WP_Session_Tokens::get_instance($userId)->update($token, [ | ||
|
Contributor
There was a problem hiding this comment.
Author
There was a problem hiding this comment. Oh, apparently I misunderstood how the token manager handles updates. Actually, from what I see, I think it's better here to read the existing token and only update the "expiration" field on it. Updated in dfbde56. |
||
| 'expiration' => time() + $expiration, | ||
| ]); | ||
|
|
||
| // Reissue the browser cookies with the same token and new expiration. | ||
| wp_set_auth_cookie($userId, true, '', $token); | ||
| } | ||
| } | ||
| } | ||
|
|
||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The 14 * DAY_IN_SECONDS default mirrors what WordPress core uses inside
wp_set_auth_cookie(), but it's an implicit coupling. If core ever changes that default, these two would diverge.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
True. I'm not sure what the best default value to use here is anyway, so I just went with the logic from core. Maybe the default should match the Auth0 session expiration lifetime, since we have access to that?
Regardless, sites can modify this using the core "auth_cookie_expiration" filter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The likelihood of core changing that default is very very low, and if you have to choose some other value regardless then you've already diverged. Given there are settings for this in the admin anyway it doesn't feel like this should be a blocker to me at least.