WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#5400 closed enhancement (invalid)

Add action to wp-login

Reported by: axelseaa Owned by:
Milestone: Priority: high
Severity: normal Version:
Component: General Keywords:
Focuses: Cc:

Description

I am working on the LDAP authentication plugin, and trying to modify things in such a way that we no longer need to override the wp_setcookie function. (Mainly so we can work in conjunction with the Secure-Admin plugin). The only reason we currently override that function is to modify the password to not store what the user has directly entered.

The solution I have came up with is to have wordpress process an action that happens after wp_login is called, and before wp_setcookie is called. The change would be directly after line 244 in wp-login. Below is an example:

        if ( $user_login && $user_pass && empty( $errors ) ) {
                $user = new WP_User(0, $user_login);

                // If the user can't edit posts, send them to their profile.
                if ( !$user->has_cap('edit_posts') && ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' ) )
                        $redirect_to = get_option('siteurl') . '/wp-admin/profile.php';

                if ( wp_login($user_login, $user_pass, $using_cookie) ) {
                        do_action_ref_array('wp_munge', array(&$user_login, &$user_pass));
                        if ( !$using_cookie )
                                wp_setcookie($user_login, $user_pass, false, '', '', $rememberme);
                        do_action('wp_login', $user_login);
                        wp_safe_redirect($redirect_to);
                        exit();
                } else {
                        if ( $using_cookie )
                                $errors['expiredsession'] = __('Your session has expired.');
                }
        }

Adding the wp_munge action hook would allow us to then change the password field and pass it back so the cookie can be create without storing the ldap password.

Is this something that can be implemented?

Change History (6)

comment:1 ryan6 years ago

We're redoing user auth and cookies quite a bit for 2.4. It should make secure admin a bit simpler. We'll keep this in mind while we're overhauling things. See #2394 and #5367

comment:2 axelseaa6 years ago

I'll keep an eye out, hopefully we can get some type of action added in there.

comment:3 DD326 years ago

Has a useable hook come into play for use with this yet?

There are a number of new pluggable functions/hooks AFAIK, so might be worth taking another look.

comment:4 ryan6 years ago

We don't use the password in the cookie anymore, so this particular case may no longer be relevant.

comment:5 axelseaa6 years ago

Once the new cookie auth is ported to WPMU, ill take a look and see if its necessary for any additional hooks. But from a quick glance, I think there are plenty in place with the revamped cookie handling.

comment:6 lloydbudd6 years ago

  • Milestone 2.6 deleted
  • Resolution set to invalid
  • Status changed from new to closed

Great, closing as invalid for now then.

Note: See TracTickets for help on using tickets.