Make WordPress Core

Opened 10 years ago

Closed 8 years ago

Last modified 8 years ago

#19821 closed enhancement (invalid)

Make wp_validate_auth_cookie() filterable

Reported by: sirzooro Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.3.1
Component: Users Keywords: has-patch dev-feedback
Focuses: Cc:


When WordPress loads, it does not call the same functions as when login form is submitted - instead it uses different ones to validate that authentication cookie is present and valid. Call stack is as follows:


When plugin wants to validate some extra things (e.g. decide if user can login by checking user meta), the only way is to replace one of functions defined in pluggable.php - wp_validate_auth_cookie() seems to be a good candidate for this. Unfortunately this can be done only once, so now it is impossible to use few plugins which wants to do some extra checks at the same time. Therefore I propose to extend the wp_validate_auth_cookie() function by adding validate_auth_cookie filter to it - see attached patch. It will allow to hook into the cookie validation process, without the need to replace pluggable function.

Attachments (1)

19732.diff (2.3 KB) - added by sirzooro 10 years ago.
Proposed patch + coding standard

Download all attachments as: .zip

Change History (6)

10 years ago

Proposed patch + coding standard

#1 @nacin
9 years ago

Could you share a potential use case for this?

#2 @sirzooro
9 years ago

Of course:

  1. User 1 successfully logs in to WP;
  2. User 2 tries to guess password for user 1. This WP instance has the User Locker plugin installed, so account will be locked after few invalid attempts;
  3. User 1 loads some WP page. At this moment his account is already locked, so it will be good to invalidate authentication cookie and force logout.

I can think of case when multiple plugins may want to hook into cookie authentication process - other plugins beside User Locker may check user status in external registry like LDAP, check if IP or User Agent has changed since last request, check date/time (user may have specified hours when he may log in), etc. Without this extra filter only one plugin is able to hook into this by replacing wp_validate_auth_cookie() pluggable function.

Last edited 9 years ago by sirzooro (previous) (diff)

#3 @c3mdigital
8 years ago

  • Keywords dev-feedback added

#4 @nacin
8 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

I think the right hook for this is set_current_user.

Note: See TracTickets for help on using tickets.