BUG SOLVED!: Maintaining Authentication after browser shutdown

Patreon Wordpress Dev Team. I found/fixed the bug in the Wordpress plugin that causes the authentication to be lost with browser close (users have to log in every time).

Simply in your patreon_login.php you call wp_set_auth_cookie to create the authentication cookie (as you should) but you never pass the second parameter “remember” to create an auth cookie with a future expiration date. Instead every single time the auth takes place the cookie is created as a session cookie, which means the cookie is deleted when the browser is closed… forcing users to log in again every time.

This is not a good user behavior. Users expect to be able to go considerable time (a month?) without logging in again.

For my TEST fix, where you call in three places: wp_set_auth_cookie( $user->ID);
I changed it to: wp_set_auth_cookie( $user->ID, true );

That second parameter of “true” tells the wordpress cookie creation code to create the auth cookie with a future expiration date, which defaults to 14 days. (again without that second param set to true, the cookie is session based and goes away when browser is closed)

To be direct and honest… the way this is coded, it is broken for every user… likely for years

And as I was trying to figure this out over weeks, I did a lot of searching and found many people dealing with the same issue that the dev team did not have a solution for “it works for us” when the reality is… it is broken for everyone.

I hope you can prioritize this as a fast patch. you’ve likely lost users because of this bug.

I optionally suggest you code the patch to honor the “Remember Me” setting in the login screen. My test fix I hard-coded it to always be true. See video

Being a big-time nerd, I created a video demonstrating this… at least watch the first few mins where I show the code.

I put ridiculous amounts of time into this. ha

Simply in your patreon_login.php you call wp_set_auth_cookie to create the authentication cookie (as you should) but you never pass the second parameter “remember” to create an auth cookie with a future expiration date. Instead every single time the auth takes place the cookie is created as a session cookie, which means the cookie is deleted when the browser is closed… forcing users to log in again every time.

To be direct and honest… the way this is coded, it is broken for every user… likely for years

This is not reproducible in a fresh WP installation and currently there are no plugin users reporting such an issue (and we havent had this reported in the past), including in the websites that make millions of unique visits/month.

The cookie/session persistence is something that depends on the settings for PHP at your web host, the WP settings in your own WP site and any login/session/security plugin that you may be using. You should investigate this at your site and find out what modifies your installation from a fresh WP installation.

If you were using Firefox to test your site: I did some tests, and this seems to be happening when using Firefox and the Firefox setting for General → Startup → Open previous windows and tabs in Firefox is turned off. It looks like Firefox now clears all cookies including session cookies for websites upon closing the browser if that setting is set to off.

That’s a separate setting in Chrome and it does not happen unless settings are specifically set to clear session cookies upon closing the browser.

So if any of your users were affected by this, ask them whether they were using Firefox with the above setting or Chrome with the clear cookies setting set to on.

Thanks for the responses! I really appreciate you digging in. Just mentioning that i am taking a deeper look and will have a better response in a day or two

1 Like