Multisite specific login issues with WP 6.8 password hashing

First, some initial facts on my use-case:

• WordPress 6.8
• PHP 8.0.x (I know.. but I have work through a complex upgrade process for one of the plugins first)
• I have a project that uses multisite for a www site (the primary) and a subdomain site (a site in the network)
• Since WP 6.8, uses the new PHP hashing logic (bcrypt, but more importantly password_verify, password_hash, and password_needs_rehash)
• Each site has their own login page
• Logged into the main site for the first time and password was “upgraded”
• Logged into the second site in the multisite network after that and now it says the password is invalid
• Logging out and logging back into main site works
• Upon deeper inspection, I am finding that the wp_password_needs_rehash() result is true on the second site meaning that the hashing does not match between sites
• I have a custom COOKIE_DOMAIN set (to .domain.com so cookie can be access across subdomains) and a custom COOKIEHASH (so that the cookie can be shared across sites) — but I have disabled these in my testing to confirm they are no the cause of the issue

Is it possible that the new WP 6.8 hashing logic that relies on built-in PHP hashing — is entirely hashed by the HTTP_HOST or some other unique identifier that I can’t quite see?

I put together a quick plugin that I have in my mu-plugins directory to get around the issue: https://gist.github.com/sc0ttkclark/55abd765c7999d37fd984618040b2d1b

It’s a terrible solution but it works for now and the result is you can only be logged into one site in the multisite network at a time 😭

• This topic was modified 2 months ago by Scott Kingsley Clark.
• This topic was modified 2 months ago by Scott Kingsley Clark.
• This topic was modified 2 months ago by Scott Kingsley Clark.