Opened 16 months ago
Last modified 11 months ago
#19821 new enhancement
Make wp_validate_auth_cookie() filterable
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Awaiting Review |
| Component: | Users | Version: | 3.3.1 |
| Severity: | normal | Keywords: | has-patch |
| Cc: |
Description
When WordPress loads, it does not call the same functions as when login form is submitted - instead it uses different ones to validate that authentication cookie is present and valid. Call stack is as follows:
settings.php WP::init() wp_get_current_user() get_currentuserinfo() wp_validate_auth_cookie()
When plugin wants to validate some extra things (e.g. decide if user can login by checking user meta), the only way is to replace one of functions defined in pluggable.php - wp_validate_auth_cookie() seems to be a good candidate for this. Unfortunately this can be done only once, so now it is impossible to use few plugins which wants to do some extra checks at the same time. Therefore I propose to extend the wp_validate_auth_cookie() function by adding validate_auth_cookie filter to it - see attached patch. It will allow to hook into the cookie validation process, without the need to replace pluggable function.
Attachments (1)
Change History (3)
Of course:
- User 1 successfully logs in to WP;
- User 2 tries to guess password for user 1. This WP instance has the User Locker plugin installed, so account will be locked after few invalid attempts;
- User 1 loads some WP page. At this moment his account is already locked, so it will be good to invalidate authentication cookie and force logout.
Proposed patch + coding standard