The MU forums have moved to WordPress.org

Site wide logins (8 posts)

  1. donncha
    Key Master
    Posted 18 years ago #

    I've just checked in a change to wp-settings.php so that cookies are visible to a whole domain, not just the hostname they were set on.

    What this means in practical terms is if you are using VHOSTS then you can go to another blog on your domain and be logged in. WHen logging in through the main blog you'll be automattically redirected to your own dashboard and logged in!

    Unfortunately, this has an implication for security. You should be certain that untrusted Javascript cannot run on user blogs. Javascript can be used to steal cookies very easily. Once someone gets your cookies it's very easy for them to login as you and do bad things.

    This has always been the case for subdir blogs because they're running on the same hostname.

  2. quenting
    Member
    Posted 18 years ago #

    Good move, i had already made such a modification on my installation.
    If they were allowed to use javascript they could do it with the previous setup anyway. js for users = evil.

  3. PleaseHelp
    Member
    Posted 18 years ago #

    How I can disable JS on user's blogs?

  4. donncha
    Key Master
    Posted 18 years ago #

    It's already done :)

  5. andrewbillits
    Member
    Posted 18 years ago #

    donncha,

    This will also help with comments true?

  6. donncha
    Key Master
    Posted 18 years ago #

    Yes, like on wordpress.com, you'll be logged in automatically when you want to comment on a blog on your site which is rather nice. :)

  7. drmike
    Member
    Posted 18 years ago #

    I wonder if I should be using this as an excuse over on the WP.com forums for one of the reasons why User installed JavaScripts are a bad idea.

  8. donncha
    Key Master
    Posted 18 years ago #

    Oh most certainly! This is one of the main reasons why they're not allowed, although AFAIK, the new https login on the site exposes less information to each blog. I can't tell what happens when you visit a blog through http:// though, that may make the wordpressuser/wordpresspassword cookies visible again.

About this Topic