WordPress 2.6: SSL and Cookies

If your host supports SSL, WordPress 2.6 includes better support for visiting the admin over SSL. Part of this support involves making sure authorization cookies are delivered only over SSL-encrypted HTTPS sessions.  To accommodate this while still allowing the option of visiting the admin over plain http, 2.6 moves from a single cookie setup to […]

If your host supports SSL, WordPress 2.6 includes better support for visiting the admin over SSL. Part of this support involves making sure authorization cookies are delivered only over SSL-encrypted HTTPS sessions.  To accommodate this while still allowing the option of visiting the admin over plain http, 2.6 moves from a single cookie setup to a three cookie setup.

In previous releases, WP set one cookie.  This cookie was delivered to all parts of your blog over both secure SSL connections and regular, unsecured connections. To remedy this, WordPress 2.6 sets separate “logged in” and “auth” cookies.  The logged in cookie is delivered for all pages of your blog over both SSL and non-SSL sessions.  The logged in cookie cannot be used to access the admin.  It merely indicates that a particular user is currently logged in. The logged in cookie cannot be used to make changes to the blog.

The auth cookie, on the other hand, is delivered only for the admin area and can be used to make changes to the blog.  If you login via https, your auth cookie will be delivered only for SSL sessions. 

Full Article