multisite potential issue

  • On multisite wordpress sites, the path for setcookie() is set as SITECOOKIEPATH.
    This could cause serious issues in cases like below:

    2 multisite websites with subdirectories
    https://test.com/blog1/
    with user1 as Admin, user2 as Editor
    https://test.com/blog1/
    with user1 as Editor, user2 as Admin

    When I switch user in blog1 from user1 to user2, and the access blog2, I can access the blog as Admin.
    This is because setcookie() path is not set as the multisite’s path.

    Instead of SITECOOKIEPATH, for multisite with subdirectories, it is safer to use

    $blog_details = get_blog_details();
    $SITECOOKIEPATH = $blog_details->path;

  • The topic ‘multisite potential issue’ is closed to new replies.