Multisite specific login issues with WP 6.8 password hashing

  • Resolved Scott Kingsley Clark

    (@sc0ttkclark)


    6 days, 14 hours ago

    First, some initial facts on my use-case:

    • WordPress 6.8
    • PHP 8.0.x (I know.. but I have work through a complex upgrade process for one of the plugins first)
    • I have a project that uses multisite for a www site (the primary) and a subdomain site (a site in the network)
    • Since WP 6.8, uses the new PHP hashing logic (bcrypt, but more importantly password_verify, password_hash, and password_needs_rehash)
    • Each site has their own login page
    • Logged into the main site for the first time and password was “upgraded”
    • Logged into the second site in the multisite network after that and now it says the password is invalid
    • Logging out and logging back into main site works
    • Upon deeper inspection, I am finding that the wp_password_needs_rehash() result is true on the second site meaning that the hashing does not match between sites
    • I have a custom COOKIE_DOMAIN set (to .domain.com so cookie can be access across subdomains) and a custom COOKIEHASH (so that the cookie can be shared across sites) — but I have disabled these in my testing to confirm they are no the cause of the issue

    Is it possible that the new WP 6.8 hashing logic that relies on built-in PHP hashing — is entirely hashed by the HTTP_HOST or some other unique identifier that I can’t quite see?

    I put together a quick plugin that I have in my mu-plugins directory to get around the issue: https://gist.github.com/sc0ttkclark/55abd765c7999d37fd984618040b2d1b

    It’s a terrible solution but it works for now and the result is you can only be logged into one site in the multisite network at a time 😭

Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.

Tags