Patreon Wordpress Dev Team. I found/fixed the bug in the Wordpress plugin that causes the authentication to be lost with browser close (users have to log in every time).
Simply in your patreon_login.php you call wp_set_auth_cookie to create the authentication cookie (as you should) but you never pass the second parameter “remember” to create an auth cookie with a future expiration date. Instead every single time the auth takes place the cookie is created as a session cookie, which means the cookie is deleted when the browser is closed… forcing users to log in again every time.
This is not a good user behavior. Users expect to be able to go considerable time (a month?) without logging in again.
For my TEST fix, where you call in three places: wp_set_auth_cookie( $user->ID);
I changed it to: wp_set_auth_cookie( $user->ID, true );
That second parameter of “true” tells the wordpress cookie creation code to create the auth cookie with a future expiration date, which defaults to 14 days. (again without that second param set to true, the cookie is session based and goes away when browser is closed)
To be direct and honest… the way this is coded, it is broken for every user… likely for years
And as I was trying to figure this out over weeks, I did a lot of searching and found many people dealing with the same issue that the dev team did not have a solution for “it works for us” when the reality is… it is broken for everyone.
I hope you can prioritize this as a fast patch. you’ve likely lost users because of this bug.
I optionally suggest you code the patch to honor the “Remember Me” setting in the login screen. My test fix I hard-coded it to always be true. See video
Being a big-time nerd, I created a video demonstrating this… at least watch the first few mins where I show the code.
Simply in your patreon_login.php you call wp_set_auth_cookie to create the authentication cookie (as you should) but you never pass the second parameter “remember” to create an auth cookie with a future expiration date. Instead every single time the auth takes place the cookie is created as a session cookie, which means the cookie is deleted when the browser is closed… forcing users to log in again every time.
To be direct and honest… the way this is coded, it is broken for every user… likely for years
This is not reproducible in a fresh WP installation and currently there are no plugin users reporting such an issue (and we havent had this reported in the past), including in the websites that make millions of unique visits/month.
The cookie/session persistence is something that depends on the settings for PHP at your web host, the WP settings in your own WP site and any login/session/security plugin that you may be using. You should investigate this at your site and find out what modifies your installation from a fresh WP installation.
If you were using Firefox to test your site: I did some tests, and this seems to be happening when using Firefox and the Firefox setting for General → Startup → Open previous windows and tabs in Firefox is turned off. It looks like Firefox now clears all cookies including session cookies for websites upon closing the browser if that setting is set to off.
That’s a separate setting in Chrome and it does not happen unless settings are specifically set to clear session cookies upon closing the browser.
So if any of your users were affected by this, ask them whether they were using Firefox with the above setting or Chrome with the clear cookies setting set to on.
Thanks for the responses! I really appreciate you digging in. Just mentioning that i am taking a deeper look and will have a better response in a day or two
Just started researching this issue today after I was notified by my users.
@skyzlmt Thank you for this. I’ve seen this discussed in a few places and was hoping at some point we’d get an option to set this remember me setting instead of modifying the code.
Patreon Dev Team (@codebard):
Would it be at all possible to just do this as an option in the plugin settings so this stops being an issue or maybe even give the user an option when they hit the unlock button? I don’t want it to be session based, I want it to be a normal login that remembers or at least have the option to without having to modify the code. I’m using a very vanilla PHP setup (virtualmin install) and my users have all mentioned this constant logging out / in issue to me with all kinds of different browsers (Android Chrome and iOS Safari at the very least). Regardless of why it might happen, wouldn’t it make sense to just give the option in the plugin settings for the sake of making this easier? People are all working in different environments for different reasons and this would be a way to put that issue to bed.
As it is, I’ve modified the plugin and now I’ll have to redo this every time I update. It’s a free plugin so I’m not going to complain (I absolutely love this plugin and am EXTREMELY grateful for it), but I feel like this would really cut down on some headaches for people if you were willing to make the change.
i somewhat understand why Patreon Dev hasnt made my change… because its surprising that its taken 2 mos for someone else to say “me too”… I wonder if there is some extra variable at play (he thinks aloud). But when I read the specs it seems very clear to me that the second param of true is needed.
Updating the code after a plugin update isnt bad… I have “File manager” plugin, in my site that allows me to browse the files and edit (Code Editor). I load up the file in Code Editor and search on wp_set_auth_cookie and then add the extra , true parameter.
I actually found several other topics about this exact same thing and fortunately, a kind soul actually offered up some code to create a plugin to do this rather than manual editing (this is much better than having to edit the code every time there’s an update haha).
What I’d LOVE to see is for them to take this and just make it an option in the Patreon plugin itself because this is just going to happen sometimes. It doesn’t really matter if another plugin causes it or some server setting you have causes it because if you need those things to work that way anyway, you need this to be an option, right? I completely understand when the developer says “hey your environment is causing this” but the fact of the matter is, I can’t change it. I have what I have for whatever reasons and I can’t start disabling other plugins or changing my PHP settings. Also even if this worked as it is supposed to, the option to set the remember me setting is still preferable because it will ALWAYS last longer than the session method that was used in the plugin (and because if you have this issue it is fixed by that option).
I used that other guy’s code and then some more code to extend logins to 30 days (the time before a token refresh is required with Patreon). Should make things easier on my users!
Sorry I know this is quite verbose, but to address the session cookies in general, they are supposed to delete on browser exit so this is not actually surprising behavior.
Indicates the maximum lifetime of the cookie as an HTTP-date timestamp. See Date for the required formatting.
If unspecified, the cookie becomes a session cookie. A session finishes when the client shuts down, after which the session cookie is removed.
Warning: Many web browsers have a session restore feature that will save all tabs and restore them the next time the browser is used. Session cookies will also be restored, as if the browser was never closed.
When an Expires date is set, the deadline is relative to the client the cookie is being set on, not the server.
Would it be at all possible to just do this as an option in the plugin settings so this stops being an issue or maybe even give the user an option when they hit the unlock button?
The plugin cannot modify the settings in the users’ browser and the session cookie length is something that is controlled by your hosting and your WP site. Those must be adjusted there, and not in the plugin. A code that could affect every website’s sessions is dangerous as it could interfere with login systems of those sites.
If you want to do it on your site, you can use whatever modification you see fit in a plugin, like some do.
…
For ‘remember me’ feature - this may be worth looking at. But an eta cant be provided.
Oh yes that is specifically what I was referring to. The remember me option. That is the fix here and the fix others have referenced. The part in his code there is just using the function you are already using BUT setting the “remember me” piece of that function to true which will then use a cookie instead of just a session. I definitely don’t want you to modify how sessions work and would generally agree with any apprehension there.
No ETA is no problem! That you’d consider it is great. Once you implement it, you’ll just be able to point to that setting when someone has this issue.
I love your plugin… you are absolutely more talented coder than I… but I am well aware of the “coder stubbornness” regarding ones code and admitting there could be an issue. ha. I think you are ignoring what is clearly in the Wordpress API documentation.
it is not “messing with someone’s sessions”… its not a hack, as is implied with your response. What I presented is an actual clearly documented param and usecase within the Wordpress API… just dont understand how that can be discounted or ignored selectively.
Sorry for my directness. I see there is a new update to the Patreon plugin and i know after updating it I have to manually modify the code again… so i popped back to this topic.
