WordPress user Authentication

After researching and looking up the WordPress Codex, this is the code that I have used to authenticate.. I hope this helpful to all friends .it’s working fine for me 🙂 $creds = array( ‘user_login’ => $username, ‘user_password’ => $userpassword, ‘remember’ => true ); if(!empty($username) && !empty($userpassword)) { if(!username_exists($username)) { $userdata = array( ‘user_login’ => … Read more

Auth cookie value security risk?

Can they for example simply copy the cookie and “be” logged in as the user who was the original cookie owner? Yes! with the cookie they basically have your login session. You do not want 3rd parties to get the cookie. Keep in mind there is more than 1 cookie, for frontend and for backend. … Read more

Authenticate a user for current request

Yes, you can hook determine_current_user. This is how WordPress calls the existing code that processes authentication cookies: add_filter( ‘determine_current_user’, ‘wp_validate_auth_cookie’ ); add_filter( ‘determine_current_user’, ‘wp_validate_logged_in_cookie’, 20 ); e.g. see the implementations of those in wp-includes/pluggable.php. Your filter should return the user ID of the user you want to authenticate as once you’ve processed the headers. That … Read more

Set authentication cookies to be shorter but then extend with every page load

You do not need to rewrite wp_set_auth_cookie(), it allows you to change the expiration time of the cookie: add_filter( ‘auth_cookie_expiration’, ‘wpse101378_change_expire_time’, 3 ); function wpse101378_change_expire_time( $expire, $user_id, $remember ){ //The $remember variable indicates whether the user has elected //to be ‘remembered’. //By default, if true, WP sets expire to 14 days if false, 2 days … Read more

How to get the ID of the currently logged in user?

get_current_user_id() effectively does what @Giri had described in the first snippet. The internal WordPress function-call chain eventually calls get_currentuserinfo() which already checks if there is a WP_User object, meaning a user is logged in. Thus, from what I can see in the linked code, get_current_user_id() always returns the ID of the user that is logged … Read more