Fix magic login behind CDNs that strip Set-Cookie headers

bourafai · claude · bourafai · commit f097c1354f8a · 2026-02-17T11:35:29.000+01:00
CDNs configured to cache aggressively (e.g. Cloudflare with "Cache
Everything") strip Set-Cookie headers from the magic login response,
preventing users from being authenticated.

Use a two-step handoff: the magic URL now creates a short-lived
transient and redirects to wp-login.php, which CDNs universally
exclude from caching. The auth cookies are set there instead.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/plugin/wp-cli-login-server.php b/plugin/wp-cli-login-server.php
@@ -26,6 +26,75 @@ function init_server_from_request()
     add_action('plugins_loaded', __NAMESPACE__ . '\\init_server_from_request');
 }
 
+/**
+ * Complete the magic login handoff on wp-login.php.
+ *
+ * CDN/proxy layers (e.g. Cloudflare with "Cache Everything") may strip
+ * Set-Cookie headers from responses on arbitrary URLs. By deferring the
+ * cookie-setting to wp-login.php — which CDNs universally exclude from
+ * caching — the auth cookies are guaranteed to reach the browser.
+ */
+function handle_login_handoff()
+{
+    if (empty($_GET['wp_cli_login_token'])) {
+        return;
+    }
+
+    $token = sanitize_text_field($_GET['wp_cli_login_token']);
+    $data  = get_transient('wp_cli_login/handoff/' . $token);
+
+    if (! $data) {
+        wp_die(
+            '<strong>The magic login handoff has expired or already been used.</strong>'
+            . sprintf('<p>Try again perhaps? or <a href="%s">Go Home &rarr;</a></p>', esc_url(home_url())),
+            'Login Failed',
+            ['response' => 410]
+        );
+    }
+
+    delete_transient('wp_cli_login/handoff/' . $token);
+
+    $user = new \WP_User($data['user_id']);
+
+    if (! $user->exists()) {
+        wp_die(
+            '<strong>No user found or no longer exists.</strong>'
+            . sprintf('<p><a href="%s">Go Home &rarr;</a></p>', esc_url(home_url())),
+            'Login Failed',
+            ['response' => 410]
+        );
+    }
+
+    nocache_headers();
+
+    wp_set_auth_cookie($user->ID);
+
+    /** @see WP_CLI_Login_Server::loginUser() */
+    do_action('wp_cli_login/login', $user->user_login, $user);
+    do_action('wp_login', $user->user_login, $user);
+
+    $redirect_to = ! empty($data['redirect_url']) ? $data['redirect_url'] : admin_url();
+    $redirect_to = apply_filters('login_redirect', $redirect_to, '', $user);
+    $redirect_to = apply_filters('wp_cli_login/login_redirect', $redirect_to, '', $user);
+
+    if ((empty($redirect_to) || $redirect_to == 'wp-admin/' || $redirect_to == admin_url())) {
+        if (is_multisite() && ! get_active_blog_for_user($user->ID) && ! is_super_admin($user->ID)) {
+            $redirect_to = user_admin_url();
+        } elseif (is_multisite() && ! $user->has_cap('read')) {
+            $redirect_to = get_dashboard_url($user->ID);
+        } elseif (! $user->has_cap('edit_posts')) {
+            $redirect_to = $user->has_cap('read') ? admin_url('profile.php') : home_url();
+        }
+
+        wp_redirect($redirect_to);
+        exit;
+    }
+
+    wp_safe_redirect($redirect_to);
+    exit;
+}
+add_action('login_init', __NAMESPACE__ . '\\handle_login_handoff');
+
 /**
  * @return bool
  */
@@ -133,8 +202,8 @@ public function run()
         try {
             $magic = $this->loadMagic();
             $user  = $this->validate($magic);
-            $this->loginUser($user);
-            $this->loginRedirect($user, $magic->redirect_url);
+            $this->deleteMagic();
+            $this->handoffRedirect($user, $magic->redirect_url);
         } catch (Exception $e) {
             $this->deleteMagic();
             $this->abort($e);
@@ -199,84 +268,30 @@ private function deleteMagic()
     }
 
     /**
-     * Login the given user and redirect them to wp-admin.
+     * Create a short-lived handoff token and redirect to wp-login.php.
      *
-     * @param WP_User $user
-     */
-    private function loginUser(WP_User $user)
-    {
-        $this->deleteMagic();
-
-        wp_set_auth_cookie($user->ID);
-
-        /**
-         * Fires after the user has successfully logged in via the WP-CLI Login Server.
-         *
-         * @param string  $user_login Username.
-         * @param WP_User $user       WP_User object of the logged-in user.
-         */
-        do_action('wp_cli_login/login', $user->user_login, $user);
-
-        /**
-         * Fires after the user has successfully logged in.
-         *
-         * @param string  $user_login Username.
-         * @param WP_User $user       WP_User object of the logged-in user.
-         */
-        do_action('wp_login', $user->user_login, $user);
-    }
-
-    /**
-     * Redirect the user after logging in.
-     *
-     * Mostly copied from wp-login.php
+     * CDN/proxy layers (e.g. Cloudflare with "Cache Everything") may strip
+     * Set-Cookie headers from responses on arbitrary URLs. By redirecting to
+     * wp-login.php — which CDNs universally exclude from caching — the auth
+     * cookies are set on a response the browser is guaranteed to receive intact.
      *
      * @param WP_User $user
      * @param string  $redirect_url
      */
-    private function loginRedirect(WP_User $user, $redirect_url)
+    private function handoffRedirect(WP_User $user, $redirect_url)
     {
-        $redirect_to = $redirect_url ?: admin_url();
-
-        /**
-         * Filters the login redirect URL.
-         *
-         * @param string           $redirect_to           The redirect destination URL.
-         * @param string           $requested_redirect_to The requested redirect destination URL passed as a parameter.
-         * @param WP_User          $user                  WP_User object.
-         */
-        $redirect_to = apply_filters('login_redirect', $redirect_to, '', $user);
-
-        /**
-         * Filters the login redirect URL for WP-CLI Login Server requests.
-         *
-         * @param string           $redirect_to           The redirect destination URL.
-         * @param string           $requested_redirect_to The requested redirect destination URL passed as a parameter.
-         * @param WP_User          $user                  WP_User object.
-         */
-        $redirect_to = apply_filters('wp_cli_login/login_redirect', $redirect_to, '', $user);
-
-        /**
-         * Figure out where to redirect the user for the default wp-admin URL based on the user's capabilities.
-         */
-        if ((empty($redirect_to) || $redirect_to == 'wp-admin/' || $redirect_to == admin_url())) {
-            // If the user doesn't belong to a blog, send them to user admin. If the user can't edit posts, send them to their profile.
-            if (is_multisite() && ! get_active_blog_for_user($user->ID) && ! is_super_admin($user->ID)) {
-                $redirect_to = user_admin_url();
-            } elseif (is_multisite() && ! $user->has_cap('read')) {
-                $redirect_to = get_dashboard_url($user->ID);
-            } elseif (! $user->has_cap('edit_posts')) {
-                $redirect_to = $user->has_cap('read') ? admin_url('profile.php') : home_url();
-            }
-
-            wp_redirect($redirect_to);
-            exit;
-        }
+        $token = bin2hex(random_bytes(16));
+
+        set_transient('wp_cli_login/handoff/' . $token, [
+            'user_id'      => $user->ID,
+            'redirect_url' => $redirect_url,
+        ], 30);
 
-        /**
-         * Redirect safely to the URL provided.
-         */
-        wp_safe_redirect($redirect_to);
+        nocache_headers();
+
+        wp_redirect(
+            add_query_arg('wp_cli_login_token', $token, wp_login_url())
+        );
         exit;
     }
 
