WordPress.org
Get WordPress

Make WordPress Core

Changeset 8696


Ignore:
Timestamp:
08/21/2008 12:08:25 AM (17 years ago)
Author:
ryan
Message:

Some cookie validation hooks. fixes #7440

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/wp-includes/pluggable.php

    r8661 r8696  
    486486 */
    487487function wp_validate_auth_cookie($cookie = '', $scheme = 'auth') {
     488    if ( ! $cookie_elements = wp_parse_auth_cookie($cookie, $scheme) ) {
     489        do_action('auth_cookie_malformed', $cookie, $scheme);
     490        return false;
     491    }
     492
     493    extract($cookie_elements, EXTR_OVERWRITE);
     494
     495    $expired = $expiration;
     496
     497    // Allow a grace period for POST and AJAX requests
     498    if ( defined('DOING_AJAX') || 'POST' == $_SERVER['REQUEST_METHOD'] )
     499        $expired += 3600;
     500
     501    // Quick check to see if an honest cookie has expired
     502    if ( $expired < time() ) {
     503        do_action('auth_cookie_expired', $cookie_elements);
     504        return false;
     505    }
     506
     507    $key = wp_hash($username . '|' . $expiration, $scheme);
     508    $hash = hash_hmac('md5', $username . '|' . $expiration, $key);
     509
     510    if ( $hmac != $hash ) {
     511        do_action('auth_cookie_bad_hash', $cookie_elements);
     512        return false;
     513    }
     514
     515    $user = get_userdatabylogin($username);
     516    if ( ! $user ) {
     517        do_action('auth_cookie_bad_username', $cookie_elements);
     518        return false;
     519    }
     520
     521    do_action('auth_cookie_valid', $cookie_elements, $user);
     522
     523    return $user->ID;
     524}
     525endif;
     526
     527if ( !function_exists('wp_generate_auth_cookie') ) :
     528/**
     529 * Generate authentication cookie contents.
     530 *
     531 * @since 2.5
     532 * @uses apply_filters() Calls 'auth_cookie' hook on $cookie contents, User ID
     533 *      and expiration of cookie.
     534 *
     535 * @param int $user_id User ID
     536 * @param int $expiration Cookie expiration in seconds
     537 * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
     538 * @return string Authentication cookie contents
     539 */
     540function wp_generate_auth_cookie($user_id, $expiration, $scheme = 'auth') {
     541    $user = get_userdata($user_id);
     542
     543    $key = wp_hash($user->user_login . '|' . $expiration, $scheme);
     544    $hash = hash_hmac('md5', $user->user_login . '|' . $expiration, $key);
     545
     546    $cookie = $user->user_login . '|' . $expiration . '|' . $hash;
     547
     548    return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $scheme);
     549}
     550endif;
     551
     552if ( !function_exists('wp_parse_auth_cookie') ) :
     553/**
     554 * Parse a cookie into its components
     555 *
     556 * @since 2.7
     557 *
     558 * @param string $cookie
     559 * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
     560 * @return array Authentication cookie components
     561 */
     562function wp_parse_auth_cookie($cookie = '', $scheme = 'auth') {
    488563    if ( empty($cookie) ) {
    489564        if ( is_ssl() ) {
     
    506581    list($username, $expiration, $hmac) = $cookie_elements;
    507582
    508     $expired = $expiration;
    509 
    510     // Allow a grace period for POST and AJAX requests
    511     if ( defined('DOING_AJAX') || 'POST' == $_SERVER['REQUEST_METHOD'] )
    512         $expired += 3600;
    513 
    514     // Quick check to see if an honest cookie has expired
    515     if ( $expired < time() )
    516         return false;
    517 
    518     $key = wp_hash($username . '|' . $expiration, $scheme);
    519     $hash = hash_hmac('md5', $username . '|' . $expiration, $key);
    520 
    521     if ( $hmac != $hash )
    522         return false;
    523 
    524     $user = get_userdatabylogin($username);
    525     if ( ! $user )
    526         return false;
    527 
    528     return $user->ID;
    529 }
    530 endif;
    531 
    532 if ( !function_exists('wp_generate_auth_cookie') ) :
    533 /**
    534  * Generate authentication cookie contents.
    535  *
    536  * @since 2.5
    537  * @uses apply_filters() Calls 'auth_cookie' hook on $cookie contents, User ID
    538  *      and expiration of cookie.
    539  *
    540  * @param int $user_id User ID
    541  * @param int $expiration Cookie expiration in seconds
    542  * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
    543  * @return string Authentication cookie contents
    544  */
    545 function wp_generate_auth_cookie($user_id, $expiration, $scheme = 'auth') {
    546     $user = get_userdata($user_id);
    547 
    548     $key = wp_hash($user->user_login . '|' . $expiration, $scheme);
    549     $hash = hash_hmac('md5', $user->user_login . '|' . $expiration, $key);
    550 
    551     $cookie = $user->user_login . '|' . $expiration . '|' . $hash;
    552 
    553     return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $scheme);
     583    return compact('username', 'expiration', 'hmac', 'scheme');
    554584}
    555585endif;
     
    608638 */
    609639function wp_clear_auth_cookie() {
     640    do_action('clear_auth_cookie');
     641
    610642    setcookie(AUTH_COOKIE, ' ', time() - 31536000, ADMIN_COOKIE_PATH, COOKIE_DOMAIN);
    611643    setcookie(SECURE_AUTH_COOKIE, ' ', time() - 31536000, ADMIN_COOKIE_PATH, COOKIE_DOMAIN);
Note: See TracChangeset for help on using the changeset viewer.