making bbPress (and WordPress) work better!

WordPress 2.8 might break login compatibility (again)

Remember how they changed the login cookie in WordPress 2.5 ?

Then they realized they got the security model wrong so they changed it again in 2.6 causing more backward compatibility problems. (then they finally added HttpOnly in 2.7)

So since it’s all working/stable now, guess what, they are tampering with it again:

This time they are not changing or adding cookies, that would be “too easy” to work around, they are changing the action hooks which will of course make any existing plugins that rely on the hooks to replace, modify or supplement the authentication stop working.

Hopefully it will all stay inside of pluggable.php so that we can fairly easily roll it back to the 2.6 or even 2.5 system as desired with replacement functions.

I am particularly sensitive to this kind of change because of how it typically breaks bbPress integration. This could also affect WPMU and BuddyPress. Hopefully since they shouldn’t be changing the cookie format, in theory we shouldn’t have to change anything but things rarely work out that easy in real-life.

(By the way my OpenID plugin for bbPress has half the complexity of the WordPress solution and does not require any special apache/php modules to function – it could be ported to WordPress fairly easily if anyone wanted to – except of course, you might have to change it again for WP 2.8)

7 responses

  1. Have you found any plugins/situations where that change breaks anything? We talked about it for awhile before coming up with that particular course of action.

    Prior to that change the only thing plugins could do was completely replace the authentication mechanism. If they wanted to have the ability to fall back on the stock WP auth then they’d have to copy all of the auth code (and stay in sync with any changes). With this filter technique they can do both without having to duplicate a single line of code.

    April 3, 2009 at 3:47 pm

  2. I dare say with the sheer number of WP installs out there, there will be plenty of people to find the bugs for you, after the fact, problems you didn’t anticipate and might have to rush embarrassingly to 2.8.1

    This is why tampering with legacy code is bad idea. People get weary after having to deal with downtime on every release because a developer missed a compatibility issue so they stop upgrading and then they get hit by security issues and the product gets a bad name.

    Out of all the things that were finally stable in 2.7, it would be the login and cookie stuff. I don’t get the need to risk breaking things in the core.

    If all you were doing is adding new, additional actions or filters to old code, that would be fine since older plugins won’t be aware of them anyway and you can take advantage of them later. However changing behaviors is always problematic, you can never predict how every plugin is expecting the result.

    I hope I am utterly wrong and your changes don’t cause a single problem. But out of all the things to change a single line in, login would be the biggest hassle if it breaks.

    April 3, 2009 at 5:39 pm

  3. Have you had a chance to look at the actual code that changed? Having this additional capability of being able build on top of the default WP auth system and not just replace it will make other features possible, like OAuth.

    I don’t think it’s reasonable to forbid any changes to the current WordPress code base. We obviously try to hard to maintain compatibility as much as possible, while at the same time trying to fix and improve old things and bring in new things when they seem reasonable to do.

    No one wants to see things break unnecessarily. The code has been in -trunk for more than two months and Ryan will likely have a few 2.8 release candidates before 2.8 gets officially released. Those are both great opportunities for plugin developers to test things out before 2.8 hits the streets.

    April 3, 2009 at 6:13 pm

  4. Sorry I guess I am taking out some frustration on you that you don’t deserve.

    I just really didn’t like how they changed the cookies in WP after 2.5 and tripled the complexity of the salt, etc. Instead of leaving the original cookie design in place and simply adding layers, they replaced the functionality of the original cookie while keeping the name the same.

    The whole source of the problem in WordPress is how regular users are given access to the back-end, shared with administrative tasks that are simply hidden or locked out of view but still loaded. All that is now locked into legacy of course and might never be changeable (hence why I like bbPress’s approach so much better).

    But WordPress has to remember now that any changes it makes affects the sister products like bbPress (and years of legacy). I’m not saying “forbid changes” I am saying maintain backward compatibility when possible, even when there’s a deep urge to redo things from scratch because it would be so much better – because if you are going to do the “so much better” route, there are huge tempting do-overs in the code.

    I just hope WordPress never has the equal of a “Vista” version. It could see that happen someday given the path they are on, more files, more complexity, etc.

    Is it wrong that I really miss the days of WP 2.0 ? LOL

    April 3, 2009 at 7:21 pm

  5. Haha, I don’t miss the WP 2.0 admin UI 🙂

    April 3, 2009 at 7:48 pm

  6. I can’t stand what they did in the 2.7 UI.
    I still use the WP 2.3 branch and 2.5 branch on most of my WP installs.
    But then again I still use the Windows 2000 interface in Windows XP so I guess I am weird like that.

    April 4, 2009 at 4:02 am

  7. Pingback: Tyrone

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s