Make WordPress Core

Opened 12 years ago

Closed 11 years ago

Last modified 10 years ago

#19821 closed enhancement (invalid)

Make wp_validate_auth_cookie() filterable

Reported by: sirzooro's profile sirzooro Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.3.1
Component: Users Keywords: has-patch dev-feedback
Focuses: Cc:

Description

When WordPress loads, it does not call the same functions as when login form is submitted - instead it uses different ones to validate that authentication cookie is present and valid. Call stack is as follows:

settings.php
WP::init()
wp_get_current_user()
get_currentuserinfo()
wp_validate_auth_cookie()

When plugin wants to validate some extra things (e.g. decide if user can login by checking user meta), the only way is to replace one of functions defined in pluggable.php - wp_validate_auth_cookie() seems to be a good candidate for this. Unfortunately this can be done only once, so now it is impossible to use few plugins which wants to do some extra checks at the same time. Therefore I propose to extend the wp_validate_auth_cookie() function by adding validate_auth_cookie filter to it - see attached patch. It will allow to hook into the cookie validation process, without the need to replace pluggable function.

Attachments (1)

19732.diff (2.3 KB) - added by sirzooro 12 years ago.
Proposed patch + coding standard

Download all attachments as: .zip

Change History (6)

@sirzooro
12 years ago

Proposed patch + coding standard

#1 @nacin
12 years ago

Could you share a potential use case for this?

#2 @sirzooro
12 years ago

Of course:

  1. User 1 successfully logs in to WP;
  2. User 2 tries to guess password for user 1. This WP instance has the User Locker plugin installed, so account will be locked after few invalid attempts;
  3. User 1 loads some WP page. At this moment his account is already locked, so it will be good to invalidate authentication cookie and force logout.

I can think of case when multiple plugins may want to hook into cookie authentication process - other plugins beside User Locker may check user status in external registry like LDAP, check if IP or User Agent has changed since last request, check date/time (user may have specified hours when he may log in), etc. Without this extra filter only one plugin is able to hook into this by replacing wp_validate_auth_cookie() pluggable function.

Last edited 12 years ago by sirzooro (previous) (diff)

#3 @c3mdigital
11 years ago

  • Keywords dev-feedback added

#4 @nacin
11 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

I think the right hook for this is set_current_user.

Note: See TracTickets for help on using tickets.