In WordPress 3.6 they added the “heartbeat” to the admin area and one of the features is this authentication check. You can disable this admin auth popup by adding the following to your functions.php file… // Remove admin login popup remove_action(‘admin_enqueue_scripts’, ‘wp_auth_check_load’);
As far as their use within WordPress, there is no native method to use $_SESSION. This means it is entirely on you to mitigate any security issues this presents. Other problems depend on how your session data is saved. One problem I’m aware of is when the allocated memory for memcache is reached, it will … Read more
If I remember, when a user is logged in using wp-loing.php, it is redirected. So, the correct flow should be: User log in In next page load (when user is redirected), hook on init and check if the user is correctly logged in, if so, start session and populate $_SESSION. Hook on wp_login and wp_logout … Read more
I’ve discovered the following stuff. This kind of login is called internally Interim. It works thanks to the continuous polling offered by the Heartbeat API. The prefix of the expired session functionality is wp-auth-check and the important bit for me was a little script at /wp-includes/js/wp-auth-check.js. When the auth check request is sent to the … Read more
wp_get_current_user will get you the WP_User object for the currently logged-in user: add_action( ‘wp_ajax_create_team’, ‘create_team’ ); function create_team() { $current_user = wp_get_current_user(); echo $current_user->ID; die; }
I went for the solution as suggested by @Rup in the comments. Replacing the two nonce functions, wp_create_nonce() and wp_verify_nonce() to prefix a nonce with a 1 or a 0 for logged-in and logged-out users respectively. The logged out nonces work by IP rather than User ID and session Token. Thus, allowing for nonces to … Read more
The reason is when you execute this code setcookie(‘wp-postpass_’ . COOKIEHASH, ”, 0, COOKIEPATH); It will reset your post password cookie to blank ”, so it just work once To solve this you need to assign the original cookie and extend the timeout, like this setcookie(‘wp-postpass_’ . COOKIEHASH, $_COOKIE[‘wp-postpass_’ . COOKIEHASH], time() + 60 * … Read more
Your code doesn’t seem to be wrong, it’s just how I would do it – see my answer here. So the question would be is your session getting started? Try debugging this: // do you have a session id $s_id = session_id(); print_r($s_id); // can you declare a bogus session variable, yours might just be … Read more
You also need to define a matching COOKIEHASH for both sites – a random 32 bit string will do. By default, COOKIEHASH is an MD5 hash of the site URL, and is used to generate the default names for all authentication-related cookies. Hence why, at the moment, your cross-domain login isn’t working (the names of … Read more
WordPress doesn’t use PHP sessions, so WordPress itself can not be related with your sessions working or not regarding if you are logged in or not (I think). Try to call session_start() on init action instead of doing it in a template file and be sure it is called before your custom library is loaded. … Read more