wp_validate_auth_cookie

Validates authentication cookie.

Description

(false|int) wp_validate_auth_cookie( (string) $cookie = '', (string) $scheme = '' ); 

The checks include making sure that the authentication cookie is set and pulling in the contents (if $cookie is not used).

Makes sure the cookie is not expired. Verifies the hash in cookie is what is should be and compares the two.

Returns (false|int)

False if invalid cookie, User ID if valid.

Parameters (2)

0. $cookie — Optional. (string) => ''
If used, will validate contents instead of cookie's
1. $scheme — Optional. (string) => ''
The cookie scheme to use: auth, secure_auth, or logged_in

Usage

  1. if ( !function_exists( 'wp_validate_auth_cookie' ) ) { 
  2. require_once ABSPATH . WPINC . '/pluggable.php'; 
  3.  
  4. // Optional. If used, will validate contents instead of cookie's 
  5. $cookie = ''; 
  6.  
  7. // Optional. The cookie scheme to use: auth, secure_auth, or logged_in 
  8. $scheme = ''; 
  9.  
  10. // NOTICE! Understand what this does before running. 
  11. $result = wp_validate_auth_cookie($cookie, $scheme); 
  12.  

Defined (1)

The function is defined in the following location(s).

/wp-includes/pluggable.php  
  1. function wp_validate_auth_cookie($cookie = '', $scheme = '') { 
  2. if ( ! $cookie_elements = wp_parse_auth_cookie($cookie, $scheme) ) { 
  3. /** 
  4. * Fires if an authentication cookie is malformed. 
  5. * @since 2.7.0 
  6. * @param string $cookie Malformed auth cookie. 
  7. * @param string $scheme Authentication scheme. Values include 'auth', 'secure_auth',  
  8. * or 'logged_in'. 
  9. */ 
  10. do_action( 'auth_cookie_malformed', $cookie, $scheme ); 
  11. return false; 
  12.  
  13. $scheme = $cookie_elements['scheme']; 
  14. $username = $cookie_elements['username']; 
  15. $hmac = $cookie_elements['hmac']; 
  16. $token = $cookie_elements['token']; 
  17. $expired = $expiration = $cookie_elements['expiration']; 
  18.  
  19. // Allow a grace period for POST and Ajax requests 
  20. if ( wp_doing_ajax() || 'POST' == $_SERVER['REQUEST_METHOD'] ) { 
  21. $expired += HOUR_IN_SECONDS
  22.  
  23. // Quick check to see if an honest cookie has expired 
  24. if ( $expired < time() ) { 
  25. /** 
  26. * Fires once an authentication cookie has expired. 
  27. * @since 2.7.0 
  28. * @param array $cookie_elements An array of data for the authentication cookie. 
  29. */ 
  30. do_action( 'auth_cookie_expired', $cookie_elements ); 
  31. return false; 
  32.  
  33. $user = get_user_by('login', $username); 
  34. if ( ! $user ) { 
  35. /** 
  36. * Fires if a bad username is entered in the user authentication process. 
  37. * @since 2.7.0 
  38. * @param array $cookie_elements An array of data for the authentication cookie. 
  39. */ 
  40. do_action( 'auth_cookie_bad_username', $cookie_elements ); 
  41. return false; 
  42.  
  43. $pass_frag = substr($user->user_pass, 8, 4); 
  44.  
  45. $key = wp_hash( $username . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme ); 
  46.  
  47. // If ext/hash is not present, compat.php's hash_hmac() does not support sha256. 
  48. $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1'; 
  49. $hash = hash_hmac( $algo, $username . '|' . $expiration . '|' . $token, $key ); 
  50.  
  51. if ( ! hash_equals( $hash, $hmac ) ) { 
  52. /** 
  53. * Fires if a bad authentication cookie hash is encountered. 
  54. * @since 2.7.0 
  55. * @param array $cookie_elements An array of data for the authentication cookie. 
  56. */ 
  57. do_action( 'auth_cookie_bad_hash', $cookie_elements ); 
  58. return false; 
  59.  
  60. $manager = WP_Session_Tokens::get_instance( $user->ID ); 
  61. if ( ! $manager->verify( $token ) ) { 
  62. return false; 
  63.  
  64. // Ajax/POST grace period set above 
  65. if ( $expiration < time() ) { 
  66. $GLOBALS['login_grace_period'] = 1; 
  67.  
  68. /** 
  69. * Fires once an authentication cookie has been validated. 
  70. * @since 2.7.0 
  71. * @param array $cookie_elements An array of data for the authentication cookie. 
  72. * @param WP_User $user User object. 
  73. */ 
  74. do_action( 'auth_cookie_valid', $cookie_elements, $user ); 
  75.  
  76. return $user->ID;