Installed Post Password Token WordPress plugin

When the user enters a page or post password WordPress sets wp_postpass_XXXX cookie:

Use chrome://settings/cookies/detail? to see the cookies in Google Chrome browser.

I installed Post Password Token plugin that sets this cookie with the following code:

function ppt_set_cookie($post_password) {
  global $token, $wp_version;
  setcookie(PPT_COOKIE.COOKIEHASH, $token, null, COOKIEPATH);
  $redirect_uri = 'http' . (is_ssl() ? 's' : '') . '://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
  if (version_compare($wp_version, '3.3', '<=')) {
    // legacy cookie
    setcookie('wp-postpass_' . COOKIEHASH, $post_password, time() + 864000, COOKIEPATH);
  else {
    // hashed cookie
    global $wp_hasher;

          if (empty($wp_hasher)) {
      require_once( ABSPATH . 'wp-includes/class-phpass.php' );
      // By default, use the portable hash from phpass
      $wp_hasher = new PasswordHash(8, true);

    setcookie('wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword(stripslashes($post_password)), time() + 864000, COOKIEPATH);

also it sets its own cookie wp-post-token_XXXX.

The plugin makes password protected posts and pages accessible with a direct link. It was not updated for a long time, but looks like it works somehow.


Leave a Reply

Your email address will not be published. Required fields are marked *