Don't fallback to DB info for secret key. Allow expiration grace period for AJAX requests. see #5367

git-svn-id: https://develop.svn.wordpress.org/trunk@6471 602fd350-edb4-49c9-b593-d223f7449a82

wp-config-sample.php

@@ -6,6 +6,10 @@ define('DB_PASSWORD', 'yourpasswordhere'); // ...and password
 define('DB_HOST', 'localhost');    // 99% chance you won't need to change this value
 define('DB_CHARSET', 'utf8');
 define('DB_COLLATE', '');
+
+// Change SECRET_KEY to a unique phrase.  You won't have to remember it later,
+// so make it long and complicated.  You can visit https://www.grc.com/passwords.htm
+// to get a phrase generated for you.
 define('SECRET_KEY', ''); // Change this to a unique phrase.
 
 // You can have multiple installations in one database if you give each a unique prefix

wp-includes/pluggable.php

@@ -336,8 +336,8 @@ function wp_validate_auth_cookie($cookie = '') {
 
 	$expired = $expiration;
 
-	// Allow a grace period for POST requests
+	// Allow a grace period for POST and AJAX requests
-	if ( 'POST' == $_SERVER['REQUEST_METHOD'] )
+	if ( defined('DOING_AJAX') || 'POST' == $_SERVER['REQUEST_METHOD'] )
 		$expired += 3600;
 
 	if ( $expired < time() )
@@ -699,18 +699,17 @@ endif;
 
 if ( !function_exists('wp_salt') ) :
 function wp_salt() {
+
+	if ( defined('SECRET_KEY') && '' != SECRET_KEY )
+		return SECRET_KEY;
+
 	$salt = get_option('secret');
 	if ( empty($salt) ) {
 		$salt = wp_generate_password();
 		update_option('secret', $salt);
 	}
 
-	if ( !defined('SECRET_KEY') || '' == SECRET_KEY )
+	return $salt;
-		$secret_key = DB_PASSWORD . DB_USER . DB_NAME . DB_HOST . ABSPATH;
-	else
-		$secret_key = SECRET_KEY;
-		
-	return $salt . $secret_key;
 }
 endif;