SSO: Store initial nonce in cookie so that we are not requesting multiple nonces#6571
SSO: Store initial nonce in cookie so that we are not requesting multiple nonces#6571
Conversation
a0afcec to
85b0aed
Compare
|
Thanks for the patch. Error: Invalid Nonce. But after error visiting https://www.domain.com/wp-admin shows me logged into the WordPress dashboard |
|
Hey @amitmalewar - Thanks for the extra information. Do you know if your remote Jetpack user had been linked to WP.com yet? |
|
Yea, it is linked. |
| static function clear_cookies_after_login() { | ||
| self::clear_wpcom_profile_cookies(); | ||
| if ( isset( $_COOKIE[ 'jetpack_sso_nonce' ] ) ) { | ||
| setcookie( |
There was a problem hiding this comment.
Is it safe to store the sso nonce in a cookie?
There was a problem hiding this comment.
The cookie is deleted immediately after the user successfully logs in. And if the user doesn't log in, the cookie is only good for 10 minutes.
Further, the nonce isn't tied to any user. It's used to verify intent. So, I think it's OK to store in it in the cookie temporarily.
There was a problem hiding this comment.
Ah, I see. Thanks for the explanation. :)
|
@amitmalewar - one of my coworkers just pushed a commit to force cache propagation on the WPCOM side. Would you mind testing again? |
|
@ebinnion - Done!! |
Possible fix to #6388.
After adding some debug code on the WordPress.com side, as best as I can tell so far, this seems to be a cache issue.
I added logging for when the nonces are created, and if I verify the nonce right after it is created, the nonce is valid.
I also added logging where we validate nonces, and I can see where it is failing. But, if I manually check through the terminal, the nonce returns valid.
So, for now, I'd like suggest this PR as a potential fix. Regardless of whether it fixes the issue as reported in #6388, it should get merged anyways since we don't need to make 2 nonce requests every time a user attempts to log in via SSO.
To test:
-Login, then logout
jetpack_sso_noncejetpack_sso_original_requestjetpack_sso_redirect_tojetpack_sso_wpcom_name_*jetpack_sso_wpcom_gravatar_*