Make WordPress Core

Opened 3 years ago

Last modified 3 years ago

#52721 new defect (bug)

No way to filter value of $credentials['remember'] in wp_signon

Reported by: mirkolofio's profile mirkolofio Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 1.5.1
Component: Login and Registration Keywords: needs-patch
Focuses: Cc:

Description

There are famous plugins out there using wp_signon and providing $credentials, so essentially $_POST values are completely ignored. Meanwhile, $credentials lacks of 'remember' value in these plugins, so for the wp_signon function means 'remember = false'.

If you want to force that remember = 1, there's only the wp_authenticate filter available which:

  1. is maybe deprecated?
  2. does not pass the remember value

So, basically, there is no way to filter the remember value, when the wp_signon function is not properly called by someone.

Change History (2)

#1 @peterwilsoncc
3 years ago

  • Milestone changed from Awaiting Review to 5.8
  • Version changed from 5.6.2 to 1.5.1

Hi @mirkolofio and welcome back to trac.

It looks like the @todo asking whether the filter should be deprecated was added in early 2014 as part of [27353].

I think allowing the remember me setting to be filtered makes sense, both for the use case you describe and for plugins either wishing to enforce or prevent users from being remembered.

My inclination is to deprecate the action and replace it with a filter (wp_signon_credentials maybe) that will allow plugin authors to modify the credentials array how they see fit.

A search of the plugin repository shows 374 plugins are using the current action, the top five all have over one million installs, the top two over three million.

I'll move this on to the 5.8 milestone to start the discussion:

  • naming things
  • whether to deprecate the existing action (my inclination) or simply delete the todo.

#2 @JeffPaul
3 years ago

  • Milestone changed from 5.8 to Future Release

With no traction on this ticket in the 5.8 release cycle and no patch/PR associated I'm going to punt to Future Release. Once discussion can settle on the naming and approach such that a patch/PR can be crafted, then this ticket can get added back to a numbered milestone.

Note: See TracTickets for help on using tickets.