This has been fixed in 4.7.3
After upgrading from WordPress multisite 4.6.3 to 4.7.2, I experienced that users:
- were not able to preview drafts – Not found 404 status
- have to log into each subsite separately
- can’t logout because of 403 status from wp_nonce_ays() (ays = are you sure)
- admin bar not visible on the frontend because is_user_logged_in() is false on the frontend
- nonce verification problems
I keep the WordPress core in it’s own /wp sub folder.
Pre 4.7 it was:
define( 'COOKIEHASH', '' );
but in 4.7 it was changed to
define( 'COOKIEHASH', md5( wp_guess_url() ) );
This was problematic for my install because that functions has different output values for the front-end and backend.
The avoid the to avoid the url-guessing with wp_guess_url() in wp_cookie_constants(), we have to set the
in the wp_sitemeta table. It was missing in my case for some unknown reason.
Another workaround is to add:
define( 'COOKIEHASH', md5( 'http://example.tld' ) );
into the wp-config.php file, to avoid the url guessing.
This also explains why defining WP_SITEURL to a non-empty string works, as mentioned by @fwdcar, as it circumvents the url guessing too.
Hope it helps!