fix: resolve redirect loop and 403 when accessing subsite wp-admin#827
fix: resolve redirect loop and 403 when accessing subsite wp-admin#827superdav42 merged 1 commit intomainfrom
Conversation
On subdirectory multisite with a centralized custom login page, accessing any subsite's wp-admin (e.g. /subsite/wp-admin/) caused an infinite redirect loop between auth_redirect() and maybe_redirect_to_admin_panel(). Root cause: auth cookies (wordpress_sec_*) are set with path=/wp-admin during main-site login, but subsite wp-admin lives at /subsite/wp-admin/ — browsers don't send the cookie because the path doesn't match. The logged_in cookie (path=/) is always available but wasn't being used. Three fixes: 1. determine_current_user filter (priority 30) in auth-functions.php — falls back to the logged_in cookie when auth cookies aren't present, so WordPress correctly identifies the user on subsite wp-admin pages. 2. auth_redirect() fallback in auth-functions.php — also tries the logged_in cookie before forcing a login redirect. 3. maybe_redirect_to_admin_panel() in class-checkout-pages.php — respects reauth=1 to prevent auto-redirecting logged-in users back to the target that just rejected them, breaking any potential loop. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 21 minutes and 7 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
🔨 Build Complete - Ready for Testing!📦 Download Build Artifact (Recommended)Download the zip build, upload to WordPress and test:
🌐 Test in WordPress Playground (Very Experimental)Click the link below to instantly test this PR in your browser - no installation needed! Login credentials: |
|
Performance Test Results Performance test results for f4a40d3 are in 🛎️! Note: the numbers in parentheses show the difference to the previous (baseline) test run. Differences below 2% or 0.5 in absolute values are not shown. URL:
|
1 participant
Summary
wordpress_sec_*) are path-scoped to/wp-adminduring main-site login, but subsite wp-admin lives at/subsite/wp-admin/— browsers don't send the cookie, causingauth_redirect()andmaybe_redirect_to_admin_panel()to bounce the user back and forth indefinitelydetermine_current_userfilter (priority 30) that falls back to thelogged_incookie (path/) so WordPress correctly identifies the user on any subsite's wp-adminlogged_incookie fallback inauth_redirect()before forcing a login redirectmaybe_redirect_to_admin_panel()now respectsreauth=1as a loop-breaking safety netTest plan
/wp-admin/— should load the dashboard (previously: infinite redirect loop)/wp-admin/while not logged in — should redirect once to the login page and show the form/wp-admin/still works normally for logged-in users🤖 Generated with Claude Code