Description
We noticed, that our users couldn't log in anymore using the correct password on the plugin's login page. Since it used to work before, I suppose this happened after an update or so (yes, indeed it was added here a42ebe8).
We started to investigate and quickly noticed that the cookies were not set anymore after a user submitted the correct password. Thus, we debugged a bit and realized that set_auth_cookie wasn't working as expected. It strongly depends on the value of $use_transient, which is fetched here $use_transient = get_option( 'password_protected_use_transient', 'default' ).
After checking the settings page of the plugin we also noted that none of the "Advance Cache Fix" radio buttons was checked, leading to an empty option, thus get_option('password_protected_use_transient', 'default' ) results in an empty string (the fallback does not apply, since it's only used in case the option does not exist at all, compare get_option documentation).
Thus, we strongly recommend adding an additional check, that validates the return value of get_option inside of your set_auth_cookie function. Alternatively, add an catch-all option, if none of the expected values was found. Currently, if this option happens to be unset, the whole login mechanism breaks.
This could look as follows:
$use_transient = get_option( 'password_protected_use_transient', 'default' );
if ( '' === $use_transient ) $use_transient = 'default'; // <--- FIX
if ( 'default' === $use_transient ) {
setcookie( $this->cookie_name(), $password_protected_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_password_protected_cookie, true );
if ( COOKIEPATH != SITECOOKIEPATH ) {
setcookie( $this->cookie_name(), $password_protected_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure_password_protected_cookie, true );
}
}
if ( 'transient' === $use_transient ) {
pp_set_transient( $this->cookie_name(), $password_protected_cookie, $expiration_time );
}
if ( 'something-else' === $use_transient ) {
do_action(
'password_protected_setting_set_cookie',
$this->cookie_name(),
$password_protected_cookie,
$secure_password_protected_cookie,
$expire
);
}