Switch back fails when Wordpress is in subdirectory and using custom login page

[filipengberg]

I'm using Bedrock which puts Wordpress in it's own subdirectory. Part of this setup is to change the site url like the following:

define('WP_SITEURL', "http://site.com/wp");

This works fine along with the user swithing plugin. However I have also defined a custom login page by implementing the login_url filter.

So instead of the built-in login page http://site.com/wp/wp-login.php my login url becomes http://site.com/login and shows a custom post with a login form.

This combination breaks the "Switch back" functionality in this plugin. The reason seems to be that the auth cookie saved by the plugin uses SITECOOKIEPATH to save the cookie. Since this value is fetched from the WP_SITEURL setting, the value becomes /wp. So the cookie is only saved in the /wp path, but my login page is in the root path. This means that the user switching auth cookie (prefixed wordpress_user_sw_) is not available in the login page and the user switch fails with a "Could not switch off." message.

Changing all instances of SITECOOKIEPATH in your plugin to COOKIEPATH fixes the problem since COOKIEPATH is fetched from the home_url setting. But I guess there is some reason for the auth cookie to be saved in SITECOOKIEPATH while the old_user cookie is saved in COOKIEPATH?

Another solution would be to add a filter in you plugin so that it was possible to override the url used for switching from wp_login_url() to something else. if you think that sounds like a good idea I'd be happy to send a pull request.

Or maybe this could be solved in some other way?

[johnbillion]

Thanks for the report. I thought I had an answer for this, but I don't think I do. I'll look into it some more.

[filipengberg]

Thanks for looking in to it!

Since I needed to fix this for my current project I went and added a filter so that it's possible to change the url depending on the switching action. I also created a pull request with these changes, if you think it's the right way to fix this issue.

[alpipego]

@reekris see my answer here for a solution that does not involve changing the plugin code.

@johnbillion I propose changing the cookie path from SITECOOKIEPATH to wp_login_url(), I think it is the least hacky solution and does not require any user action (like a filter would). Simply ignore the former. Sorry.

[benoitchantre]

I have the same issue with a subdirectory install and a custom url for the login page (using WPS Hide Login). When I disable WPS Hide Login, I can switch back to my session without issue, even the site is using a subdirectory installation.

[clifgriffin]

Had the same issue and was able to fix it using a variation of @alpipego's fix. Here's my setup:

1. WordPress installed in subdirectory
2. Theme My Login activated

Dropped this code into an mu-plugin:

add_action('wp_die_handler', function($handler) {
	parse_str($_SERVER['QUERY_STRING'], $query);

	if ( $query['action'] === 'switch_to_olduser' ) {
		wp_redirect(get_bloginfo('wpurl') . $_SERVER['REQUEST_URI']);
		exit;
	}

	return $handler;
});

Since all switch_to_olduser actions seem to go through the login page, I was able to remove the conditional that checked whether the script in use was wp-login.php as this doesn't return true in all setups.