Make WordPress Core

Opened 7 weeks ago

Last modified 7 weeks ago

#52721 new defect (bug)

No way to filter value of $credentials['remember'] in wp_signon

Reported by: mirkolofio Owned by:
Milestone: 5.8 Priority: normal
Severity: normal Version: 1.5.1
Component: Login and Registration Keywords: needs-patch
Focuses: Cc:


There are famous plugins out there using wp_signon and providing $credentials, so essentially $_POST values are completely ignored. Meanwhile, $credentials lacks of 'remember' value in these plugins, so for the wp_signon function means 'remember = false'.

If you want to force that remember = 1, there's only the wp_authenticate filter available which:

  1. is maybe deprecated?
  2. does not pass the remember value

So, basically, there is no way to filter the remember value, when the wp_signon function is not properly called by someone.

Change History (1)

#1 @peterwilsoncc
7 weeks ago

  • Milestone changed from Awaiting Review to 5.8
  • Version changed from 5.6.2 to 1.5.1

Hi @mirkolofio and welcome back to trac.

It looks like the @todo asking whether the filter should be deprecated was added in early 2014 as part of [27353].

I think allowing the remember me setting to be filtered makes sense, both for the use case you describe and for plugins either wishing to enforce or prevent users from being remembered.

My inclination is to deprecate the action and replace it with a filter (wp_signon_credentials maybe) that will allow plugin authors to modify the credentials array how they see fit.

A search of the plugin repository shows 374 plugins are using the current action, the top five all have over one million installs, the top two over three million.

I'll move this on to the 5.8 milestone to start the discussion:

  • naming things
  • whether to deprecate the existing action (my inclination) or simply delete the todo.
Note: See TracTickets for help on using tickets.