云策 WordPress 开发者社区

函数文档

wp_parse_auth_cookie()

查看官方原文 ↗
💡 云策文档标注

概述

wp_parse_auth_cookie() 函数用于解析 WordPress 认证 cookie,将其拆分为用户名、过期时间、会话令牌和安全哈希等组件。该函数支持多种 cookie 方案,并验证 cookie 格式的有效性。

关键要点

  • 函数解析认证 cookie 字符串,返回包含 username、expiration、token、hmac 和 scheme 的数组,若格式错误则返回 false。
  • 参数 $cookie 为必需,指定 cookie 字符串;$scheme 可选,定义 cookie 方案('auth'、'secure_auth' 或 'logged_in'),默认基于 SSL 状态自动选择。
  • 返回的组件不应直接假设有效,因为它们来自客户端提供的 cookie 值,需进一步验证。
  • 过期时间 expiration 为 UNIX 时间戳,基于 UTC 时区,使用时可能需要转换为本地时间。

代码示例

function wp_parse_auth_cookie( $cookie = '', $scheme = '' ) {
    if ( empty( $cookie ) ) {
        switch ( $scheme ) {
            case 'auth':
                $cookie_name = AUTH_COOKIE;
                break;
            case 'secure_auth':
                $cookie_name = SECURE_AUTH_COOKIE;
                break;
            case 'logged_in':
                $cookie_name = LOGGED_IN_COOKIE;
                break;
            default:
                if ( is_ssl() ) {
                    $cookie_name = SECURE_AUTH_COOKIE;
                    $scheme      = 'secure_auth';
                } else {
                    $cookie_name = AUTH_COOKIE;
                    $scheme      = 'auth';
                }
        }

        if ( empty( $_COOKIE[ $cookie_name ] ) ) {
            return false;
        }
        $cookie = $_COOKIE[ $cookie_name ];
    }

    $cookie_elements = explode( '|', $cookie );
    if ( count( $cookie_elements ) !== 4 ) {
        return false;
    }

    list( $username, $expiration, $token, $hmac ) = $cookie_elements;

    return compact( 'username', 'expiration', 'token', 'hmac', 'scheme' );
}

注意事项

  • 从版本 4.0.0 开始,返回数组中添加了 token 元素,用于会话管理。
  • 函数内部使用 explode() 分割 cookie 字符串,确保格式为四部分,否则返回 false。
  • 相关函数包括 wp_validate_auth_cookie() 用于验证 cookie,wp_get_session_token() 用于获取会话令牌。
📄 原文内容

Parses a cookie into its components.

Parameters

$cookiestringrequired
Authentication cookie.
$schemestringoptional
The cookie scheme to use: 'auth', 'secure_auth', or 'logged_in'.

Return

string[]|false Authentication cookie components. None of the components should be assumed to be valid as they come directly from a client-provided cookie value. If the cookie value is malformed, false is returned.

  • username string
    User’s username.
  • expiration string
    The time the cookie expires as a UNIX timestamp.
  • token string
    User’s session token used.
  • hmac string
    The security hash for the cookie.
  • scheme string
    The cookie scheme to use.

Source

function wp_parse_auth_cookie( $cookie = '', $scheme = '' ) {
	if ( empty( $cookie ) ) {
		switch ( $scheme ) {
			case 'auth':
				$cookie_name = AUTH_COOKIE;
				break;
			case 'secure_auth':
				$cookie_name = SECURE_AUTH_COOKIE;
				break;
			case 'logged_in':
				$cookie_name = LOGGED_IN_COOKIE;
				break;
			default:
				if ( is_ssl() ) {
					$cookie_name = SECURE_AUTH_COOKIE;
					$scheme      = 'secure_auth';
				} else {
					$cookie_name = AUTH_COOKIE;
					$scheme      = 'auth';
				}
		}

		if ( empty( $_COOKIE[ $cookie_name ] ) ) {
			return false;
		}
		$cookie = $_COOKIE[ $cookie_name ];
	}

	$cookie_elements = explode( '|', $cookie );
	if ( count( $cookie_elements ) !== 4 ) {
		return false;
	}

	list( $username, $expiration, $token, $hmac ) = $cookie_elements;

	return compact( 'username', 'expiration', 'token', 'hmac', 'scheme' );
}

View all references View on Trac View on GitHub

Uses Description
is_ssl()wp-includes/load.php

Determines if SSL is used.
Used by Description
wp_get_session_token()wp-includes/user.php

Retrieves the current session token from the logged_in cookie.
wp_validate_auth_cookie()wp-includes/pluggable.php

Validates authentication cookie.
wp_update_user()wp-includes/user.php

Updates a user in the database.

Changelog

Version Description
4.0.0 The $token element was added to the return value.
2.7.0 Introduced.

User Contributed Notes