You wouldn’t guess it from the announcement, but WordPress 2.6 completely changes the cookies set when a user authenticates, and in the process breaks quite a few WordPress Authentication Plugins, including Pamelaware for WordPress.
I am fiddling with the fix now, but haven’t quite perfected the process; I can set the new cookies, using the new cookie setting function, but somehow the cookies I set with the cookie setting function don’t look exactly the same as the cookies WordPress sets when it executes the same function.
There have been a few non-plugin-related panics around the cookies as well – some admins are unable to get to their consoles. Fixes range from clearing your browser cache and deleting cookies to adding an extra define statement in your wp-config.php file.
If you have already upgraded to WordPress 2.6, you’ll need to disable the Pamelaware for WordPress plugin until I can get this fix out — I hope this will be today. If you haven’t upgraded to WordPress 2.6, you may want to hold off, or at least to make sure you have time to deal with possible authentication issues like the ones that are cropping up in the forums.
The good news is that I now know that if you develop WordPress authentication plugins, you need to be subscribed to this guy’s blog if you don’t want to be caught by surprise with changes to authentication mechanisms in WordPress.
Update: I have a working fix now — you can get it from the 0.9 release branch subversion tree, if you want to play. I have not yet updated the tarball to reflect this change, as I haven’t tested it enough to be sure it won’t break under obscure circumstances. Contact me if you want more detail prior to a tested release.