Wordpress hack: detecting login cookies when Wordpress is not installed at your blog URL

Sep 25, 2009 in , , ,

This is a technical description of a programming trick with the blogging engine Wordpress (which runs this blog). I know the useless blather you usually read–or, more accurately, ignore–here has nothing to do with programming, but bear with me for one post, because I think people searching on Google might find this trick useful.

UPDATE 9/26/09: This hack doesn’t actually work, because the login cookies need to be set to two different directories–your blog url and your Wordpress installation folder–in order for all parts of your blog to work. I’ll post a fix once I figure out a way around this. It won’t be pretty though, since Wordpress 2.8 hasn’t been set up to directly deal with this issue yet.

So Wordpress has a cool feature / semi-intentional built-in hack that allows you to install the Wordpress scripts in one folder (e.g. jueseph.com/blog), but have your blog URL be something different (e.g. jueseph.com). This is helpful for people who want to have a nice short URL for the blog, but don’t want to have to have all those ‘wp-’ scripts cluttering up their root directory on the webserver.

Unfortunately, this trick has a fatal flaw, which I noticed today when I was implementing it for a a friend’s new blog: Wordpress no longer recognizes that you are logged in, even if you are! This means that you can’t post comments as a logged-in user, display an ‘edit’ link using the edit_post_link() function, or display a handy ‘log in’/'log out’ link using wp_loginout(). While the latter 2 features might seem a little esoteric (although they’re unbelievably useful, if you think about it), not being able to post comments as a logged-in user is a pretty serious handicap. So how do we fix this?

The solution is simple, although finding it on Google took a little more time than I expected. Basically, if you’re in my situation–Wordpress is installed in ‘/blog/’ on the webserver, but the blog appears at ‘/’ online, you need to insert the following 2 lines of code your wp-config.php file (the explanatory comment is optional, obviously):

/* Allow Wordpress to detect login cookie from site root */
define('COOKIEPATH', '/');
define('SITECOOKIEPATH', '/');

If your blog doesn’t appear on your site root, then just replace the ‘/’ with the path of your actual blog URL. In other words, if your ‘blog url’ in settings is http://domain.com/folder/, then replace ‘/’ above with ‘/folder/’.

Now just log out and log back in (to refresh your cookies), and you should be able to see your ‘edit post’ links and comment as an authenticated user again. Easy, right?

Well now that you’ve read this, it is. I’m personally a little annoyed that Wordpress posted the installation directory trick in their official documentation–and even nudged you to use it, on the ‘general settings’ page next to the input for ‘blog url’–without checking first that their hack didn’t break anything. And frankly, reading all the stuff out there that I’ve Googled, it doesn’t seem like anyone else has ever needed to (or perhaps more accurately, persevered at) solving this problem in this particular context. I ended up finding lots of interesting hacks unrelated to my problem on Google, and only after exhausting the possible search terms, found this forum thread that explains it all. Thanks to Samuel “Otto” Wood for providing the suggestion about cookies.

And note to the Wordpress team: your software is f’ing awesome, but PLEASE ADD THIS HACK TO YOUR DOCUMENTATION and save people like me a lot of grief in the future.

In case you’re curious, here are some related (but alas, not related enough to save me 2 hours of Googling) tips and tricks I turned up:

And if there was an easier solution to this that was out there but I just missed (which I always suspect when I spend hours trying to fix something that seems absurdly common / simple), please let me and your fellow Wordpress hackers know in the comments. Thanks, and hope this helps someone out there.