No way to filter value of $credentials['remember'] in wp_signon

[mirkolofio]

There are famous plugins out there using wp_signon and providing $credentials, so essentially $_POST values are completely ignored. Meanwhile, $credentials lacks of 'remember' value in these plugins, so for the wp_signon function means 'remember = false'.

If you want to force that remember = 1, there's only the wp_authenticate filter available which:

1. is maybe deprecated?
2. does not pass the remember value

So, basically, there is no way to filter the remember value, when the wp_signon function is not properly called by someone.

[peterwilsoncc]

Hi @mirkolofio and welcome back to trac.

It looks like the @todo asking whether the filter should be deprecated was added in early 2014 as part of [27353].

I think allowing the remember me setting to be filtered makes sense, both for the use case you describe and for plugins either wishing to enforce or prevent users from being remembered.

My inclination is to deprecate the action and replace it with a filter (wp_signon_credentials maybe) that will allow plugin authors to modify the credentials array how they see fit.

A search of the plugin repository shows ​374 plugins are using the current action, the top five all have over one million installs, the top two over three million.

I'll move this on to the 5.8 milestone to start the discussion:

• naming things
• whether to deprecate the existing action (my inclination) or simply delete the todo.

[JeffPaul]

With no traction on this ticket in the 5.8 release cycle and no patch/PR associated I'm going to punt to Future Release. Once discussion can settle on the naming and approach such that a patch/PR can be crafted, then this ticket can get added back to a numbered milestone.

Trac Ticket: Core-52721

## Summary

This PR introduces a change to the wp_signon function, deprecating the wp_authenticate action and replacing it with a filter, wp_signon_credentials.

## Key Changes

• Deprecated the wp_authenticate action and added the new wp_signon_credentials filter.

### Why This Change

• The shift from the wp_authenticate action to a filter is driven by the need for more flexible and streamlined handling of login credentials. The action wp_authenticate only allowed for limited modification of the credentials, and its callback structure was not as versatile as using a filter.

• The wp_authenticate action is a legacy mechanism that lacks flexibility for modern development. This PR deprecates it and introduces the wp_signon_credentials filter, offering a more extensible and standardized way to modify sign-on credentials. This change improves control over the login process, aligns with best practices, and ensures cleaner, more maintainable code. It also addresses the @todo from [27353], which questioned the deprecation of the action, by replacing it with the filter for improved flexibility while maintaining backward compatibility.