Having trouble with auth cookies

[chrisvanpatten]

I've got some trouble getting auth cookies to save in a WP-Router callback.

I have GET/POST routes registered for ^register/([a-z0-9]{32})$, where I verify a registration token and then show a registration form. The form (on the GET route) POSTs to the same place.

It's in the POST call that I process the registration and then (attempt to) authenticate the user immediately, so they don't need to sign in immediately after registration, then redirect them to the next step in the registration process (a payment form).

Unfortunately, the WP auth cookies aren't getting set, even though I'm directly calling the functions to do that.

Here's what I've got:

My route registration (in a mu-plugin):

<?php

add_action( 'wp_router_generate_routes', function( \WP_Router $router ) {

    $router->add_route( 'register', array(
        'title'    => 'Register',
        'path'     => '^register/([a-z0-9]{32})$',
        'query_vars' => array(
            'fh_token' => 1,
        ),
        'template' => array(
            'register.php',
        ),
        'access_callback' => TRUE,
        'page_arguments'  => array( 'fh_token' ),
        'page_callback'   => array(
            'GET'  => array( 'MyApp\RegisterController', 'get' ),
            'POST' => array( 'MyApp\RegisterController', 'post' ),
        ),
    ) );

    $router->add_route( 'payment', array(
        'title'    => 'Payment',
        'path'     => '^payment',
        'template' => array(
            'payment.php',
        ),
        'access_callback' => TRUE,
        'page_callback'   => array(
            'GET'  => array( 'MyApp\PaymentController', 'get' ),
            'POST' => array( 'MyApp\PaymentController', 'post' ),
        ),
    ) );

}, 10, 1 );

My registration controller POST callback, autoloaded via Composer:

<?php

namespace MyApp;

class RegisterController {

    public static function post( $fh_token = null )
    {
        // blah blah blah
        // parse the $_POST submission, create the user
        // verify the $fh_token

        // set the $user variable from the newly-created user,
        // $user is an instance of a custom class that nicely
        // abstracts WP_User

        // Clear existing auth cookies
        wp_clear_auth_cookie();

        // Log the user in
        // Note: $user is a local object, assume it works, 'cuz it does
        do_action( 'wp_login', $user->getEmail(), $user->item );

        wp_set_current_user( $user->getId() );
        wp_set_auth_cookie( $user->getId(), true );

        // Redirect to payment page
        wp_safe_redirect( '/payment' );
        exit();
    }

}

When I adjust the registration POST callback so it doesn't redirect, the authentication works—sort of. The WP admin bar shows up, and is_user_logged_in() calls in the page template return true.

It still doesn't set the wordpress_logged_in cookie though, which means that on subsequent pageloads the session doesn't persist and the user is logged out. Just for kicks, I also tried a direct setcookie() call in the callback, and that cookie wasn't added either.

I know it's not my server configuration stripping the cookies, because logins at wp-login.php or through a page with a wp_login_form() work fine and set the cookies properly.

Any ideas?

[jmslbam]

Try first setting wp_set_auth_cookie( $user->getId(), true ); then wp_set_current_user( $user->getId() ); like this https://github.com/pippinsplugins/Restrict-Content-Pro/blob/master/includes/login-functions.php#L47

[chrisvanpatten]

No luck, unfortunately. Also tried moving the cookie setting into the access_callback, so it executed a bit earlier, and that didn't help either. Something is keeping these cookies from being included in the response...

[chrisvanpatten]

Hi everyone, my name is Chris, and I'm an idiot who didn't realise he had disabled cookie saving in his dev browser while testing another project.

[jmslbam]

:see_no_evil: good luck hacking!