Skip to content

Clearing auth cookies when visiting wp-login.php while being already logged-in #659

New issue
New issue
Open
#660
Open
Clearing auth cookies when visiting wp-login.php while being already logged-in#659
#660
Milestone
0.15.0
@kasparsd

Description

@kasparsd
kasparsd
opened on Jan 10, 2025

Describe the bug

When a user who is logged-in (and has two-factor configured) visits the wp-login.php page, their authentication state is cleared. The clearing should happen only during the two-factor login workflow.

By default, WP core redirects users to the dashboard if they visit wp-login.php while being already logged in. This is not happening and prevents other plugins that rely on the logged-in state on the wp-login.php page from functioning.

This happens because the function attached to wp_login is running the logic even outside of the login flow:

two-factor/class-two-factor-core.php

Lines 641 to 653 in 80e76ef

public static function wp_login( $user_login, $user ) {
if ( ! self::is_user_using_two_factor( $user->ID ) ) {
return;
}
// Invalidate the current login session to prevent from being re-used.
self::destroy_current_session_for_user( $user );
// Also clear the cookies which are no longer valid.
wp_clear_auth_cookie();
self::show_two_factor_login( $user );
exit;

Steps to Reproduce

  1. Login at a site.
  2. Configure and enable any two-factor method.
  3. Visit /wp-login.php and notice that a login form is shown or just the two-factor prompt.

Screenshots, screen recording, code snippet

Image

Environment information

  • Two-factor 0.11.0
  • Default theme 2025
  • No other plugins

Please confirm that you have searched existing issues in this repository.

Yes

Please confirm that you have tested with all plugins deactivated except Two-Factor.

Yes

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions