WordPress REST API – Permission Callbacks

The issue was because I wasn’t generating and sending a nonce value with the request. In order to generate a nonce value. Localize the value of a wp_create_nonce(‘wp_rest’) function call. wp_localize_script(‘application’, ‘api’, array( ‘root’ => esc_url_raw(rest_url()), ‘nonce’ => wp_create_nonce(‘wp_rest’) )); This will then be accessible to the window object of the browser which can be … Read more

How to check username/password without signing in the user

There is a function in the user.php of the core files called wp_authenticate_username_password that seems like what you’re looking for. If you want to avoid throwing in the $user object (you probably only have the username + password), then just throw null as 1st function argument in: $check = wp_authenticate_username_password( NULL, ‘some_username’, ‘#thepassw0rd’ ); You … Read more

Extend WordPress (4.x) session and nonce

Your problem is that you call wp_logout_url immediately after wp_set_auth_cookie. wp_set_auth_cookie() does some setcookie() calls. Unfortunately setcookie doesn’t make the new value available instantly in the PHP global $_COOKIE. It must be set through a new HTTP Request first. wp_logout_url() (via wp_nonce_url > wp_create_nonce > wp_get_session_token > wp_parse_auth_cookie) fetches $_COOKIE[LOGGED_IN_COOKIE] in order to create a … Read more

why does WordPress need two cookies for auth/login

“On login, wordpress uses the wordpress_[hash] cookie to store your authentication details. It’s use is limited to the admin console area, /wp-admin/ After login, wordpress sets the wordpress_logged_in_[hash] cookie, which indicates when you’re logged in, and who you are, for most interface use. WordPress also sets a few wp-settings-{time}-[UID] cookies. The number on the end … Read more