I’m using wordpress for a specific client because of their need to edit content themselves. With this, I’m using their page password protection, per client’s request. The problem is, it seems that the cookie being set never times out. So, once the client enters the password, nobody ever has to enter the password again through the same browser on the same machine. This leaves it wide open for anybody to walk up to and enter. So, I assume the best way to address this is to set a timeout on the cookie. However, I’m not sure how to do that with the php function. Here’s the whole function:
function post_password_required( $post = null ) {
$post = get_post($post);
if ( empty( $post->post_password ) )
return false;
if ( ! isset( $_COOKIE['wp-postpass_' . COOKIEHASH] ) )
return true;
require_once ABSPATH . WPINC . '/class-phpass.php';
$hasher = new PasswordHash( 8, true );
$hash = wp_unslash( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] );
if ( 0 !== strpos( $hash, '$P$B' ) )
return true;
return ! $hasher->CheckPassword( $post->post_password, $hash );
}
Really, I’d like to have the cookie expire when the browser closes, and otherwise every few hours. Any advice on what to add to make the cookie expire after it’s set?
I believe it would probably have to be added to this line:
$hash = wp_unslash( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] );
Thanks ahead of time for any advice.
There’s a much, much easier way to do this, using the
post_password_expires
filter. By default, the cookie expires 10 days from creation. To turn this into a session cookie, return 0. The following should be added to your theme’s functions.php: