wp_set_auth_cookie()
云策文档标注
概述
wp_set_auth_cookie() 函数用于为指定用户 ID 设置身份验证 Cookie,控制登录会话的持久性和安全性。它通过参数管理 Cookie 的过期时间、HTTPS 传输和会话令牌,并涉及多个过滤器和动作钩子。
关键要点
- 函数设置身份验证 Cookie,包括 AUTH_COOKIE 和 LOGGED_IN_COOKIE,基于用户 ID 和可选参数。
- $remember 参数决定 Cookie 持久性:true 时默认 14 天(可通过 'auth_cookie_expiration' 过滤),false 时为浏览器会话 Cookie(默认 2 天或浏览器关闭)。
- $secure 参数控制 Cookie 是否仅通过 HTTPS 发送,默认使用 is_ssl() 值,可通过 'secure_auth_cookie' 和 'secure_logged_in_cookie' 过滤。
- $token 参数可选,用于指定用户会话令牌;若为空,函数自动通过 WP_Session_Tokens 创建。
- 涉及多个钩子:'auth_cookie_expiration' 过滤过期时间,'set_auth_cookie' 和 'set_logged_in_cookie' 动作在设置前触发,'send_auth_cookies' 过滤可阻止发送 Cookie。
- 函数内部处理 Cookie 路径和域名,确保安全性和兼容性。
代码示例
// 示例:设置持久登录 Cookie
$user_id = 123;
wp_set_auth_cookie($user_id, true, is_ssl());
// 示例:无密码登录(基于用户贡献笔记)
$user = get_user_by('login', $username);
if (!is_wp_error($user)) {
wp_clear_auth_cookie();
wp_set_current_user($user->ID);
wp_set_auth_cookie($user->ID);
echo "Logged in successfully";
}注意事项
- 使用 wp_set_auth_cookie() 时,建议结合 wp_clear_auth_cookie() 和 wp_set_current_user() 确保正确登录状态。
- 注意 $remember 参数的类型:true/false 可能影响会话设置,用户贡献笔记提到在某些版本中 true 可能不工作,而 1 可以。
- 函数可能不适用于所有管理操作,用户贡献笔记指出可能导致权限问题或过期错误,建议优先使用标准登录表单。
- 确保安全设置,特别是在 HTTPS 环境下,避免 Cookie 泄露。
原文内容
Sets the authentication cookies for a given user ID.
Description
The $remember parameter controls cookie persistence:
- If true, the cookie is persistent (default 14 days, filterable via ‘auth_cookie_expiration’).
- If false, the cookie is a browser session cookie (expires when the browser closes).
Internally, ‘auth_cookie_expiration’ is still applied, to expire the login after two days or when the browser is closed, whichever occurs first.
Parameters
$user_idintrequired-
User ID.
$rememberbooloptional-
Whether to remember the user.
Default:
false $securebool|stringrequired-
Whether the auth cookie should only be sent over HTTPS. Default is an empty string which means the value of
is_ssl()will be used. $tokenstringoptional-
User’s session token to use for this cookie.
Source
function wp_set_auth_cookie( $user_id, $remember = false, $secure = '', $token = '' ) {
if ( $remember ) {
/**
* Filters the duration of the authentication cookie expiration period.
*
* @since 2.8.0
*
* @param int $length Duration of the expiration period in seconds.
* @param int $user_id User ID.
* @param bool $remember Whether to remember the user login. Default false.
*/
$expiration = time() + apply_filters( 'auth_cookie_expiration', 14 * DAY_IN_SECONDS, $user_id, $remember );
/*
* Ensure the browser will continue to send the cookie after the expiration time is reached.
* Needed for the login grace period in wp_validate_auth_cookie().
*/
$expire = $expiration + ( 12 * HOUR_IN_SECONDS );
} else {
/** This filter is documented in wp-includes/pluggable.php */
$expiration = time() + apply_filters( 'auth_cookie_expiration', 2 * DAY_IN_SECONDS, $user_id, $remember );
$expire = 0;
}
if ( '' === $secure ) {
$secure = is_ssl();
}
// Front-end cookie is secure when the auth cookie is secure and the site's home URL uses HTTPS.
$secure_logged_in_cookie = $secure && 'https' === parse_url( get_option( 'home' ), PHP_URL_SCHEME );
/**
* Filters whether the auth cookie should only be sent over HTTPS.
*
* @since 3.1.0
*
* @param bool $secure Whether the cookie should only be sent over HTTPS.
* @param int $user_id User ID.
*/
$secure = apply_filters( 'secure_auth_cookie', $secure, $user_id );
/**
* Filters whether the logged in cookie should only be sent over HTTPS.
*
* @since 3.1.0
*
* @param bool $secure_logged_in_cookie Whether the logged in cookie should only be sent over HTTPS.
* @param int $user_id User ID.
* @param bool $secure Whether the auth cookie should only be sent over HTTPS.
*/
$secure_logged_in_cookie = apply_filters( 'secure_logged_in_cookie', $secure_logged_in_cookie, $user_id, $secure );
if ( $secure ) {
$auth_cookie_name = SECURE_AUTH_COOKIE;
$scheme = 'secure_auth';
} else {
$auth_cookie_name = AUTH_COOKIE;
$scheme = 'auth';
}
if ( '' === $token ) {
$manager = WP_Session_Tokens::get_instance( $user_id );
$token = $manager->create( $expiration );
}
$auth_cookie = wp_generate_auth_cookie( $user_id, $expiration, $scheme, $token );
$logged_in_cookie = wp_generate_auth_cookie( $user_id, $expiration, 'logged_in', $token );
/**
* Fires immediately before the authentication cookie is set.
*
* @since 2.5.0
* @since 4.9.0 The `$token` parameter was added.
*
* @param string $auth_cookie Authentication cookie value.
* @param int $expire The time the login grace period expires as a UNIX timestamp.
* Default is 12 hours past the cookie's expiration time.
* @param int $expiration The time when the authentication cookie expires as a UNIX timestamp.
* Default is 14 days from now.
* @param int $user_id User ID.
* @param string $scheme Authentication scheme. Values include 'auth' or 'secure_auth'.
* @param string $token User's session token to use for this cookie.
*/
do_action( 'set_auth_cookie', $auth_cookie, $expire, $expiration, $user_id, $scheme, $token );
/**
* Fires immediately before the logged-in authentication cookie is set.
*
* @since 2.6.0
* @since 4.9.0 The `$token` parameter was added.
*
* @param string $logged_in_cookie The logged-in cookie value.
* @param int $expire The time the login grace period expires as a UNIX timestamp.
* Default is 12 hours past the cookie's expiration time.
* @param int $expiration The time when the logged-in authentication cookie expires as a UNIX timestamp.
* Default is 14 days from now.
* @param int $user_id User ID.
* @param string $scheme Authentication scheme. Default 'logged_in'.
* @param string $token User's session token to use for this cookie.
*/
do_action( 'set_logged_in_cookie', $logged_in_cookie, $expire, $expiration, $user_id, 'logged_in', $token );
/**
* Allows preventing auth cookies from actually being sent to the client.
*
* @since 4.7.4
* @since 6.2.0 The `$expire`, `$expiration`, `$user_id`, `$scheme`, and `$token` parameters were added.
*
* @param bool $send Whether to send auth cookies to the client. Default true.
* @param int $expire The time the login grace period expires as a UNIX timestamp.
* Default is 12 hours past the cookie's expiration time. Zero when clearing cookies.
* @param int $expiration The time when the logged-in authentication cookie expires as a UNIX timestamp.
* Default is 14 days from now. Zero when clearing cookies.
* @param int $user_id User ID. Zero when clearing cookies.
* @param string $scheme Authentication scheme. Values include 'auth' or 'secure_auth'.
* Empty string when clearing cookies.
* @param string $token User's session token to use for this cookie. Empty string when clearing cookies.
*/
if ( ! apply_filters( 'send_auth_cookies', true, $expire, $expiration, $user_id, $scheme, $token ) ) {
return;
}
setcookie( $auth_cookie_name, $auth_cookie, $expire, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN, $secure, true );
setcookie( $auth_cookie_name, $auth_cookie, $expire, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, $secure, true );
setcookie( LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true );
if ( COOKIEPATH !== SITECOOKIEPATH ) {
setcookie( LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true );
}
}
Hooks
- apply_filters( ‘auth_cookie_expiration’, int $length, int $user_id, bool $remember )
-
Filters the duration of the authentication cookie expiration period.
- apply_filters( ‘secure_auth_cookie’, bool $secure, int $user_id )
-
Filters whether the auth cookie should only be sent over HTTPS.
- apply_filters( ‘secure_logged_in_cookie’, bool $secure_logged_in_cookie, int $user_id, bool $secure )
-
Filters whether the logged in cookie should only be sent over HTTPS.
- apply_filters( ‘send_auth_cookies’, bool $send, int $expire, int $expiration, int $user_id, string $scheme, string $token )
-
Allows preventing auth cookies from actually being sent to the client.
- do_action( ‘set_auth_cookie’, string $auth_cookie, int $expire, int $expiration, int $user_id, string $scheme, string $token )
-
Fires immediately before the authentication cookie is set.
- do_action( ‘set_logged_in_cookie’, string $logged_in_cookie, int $expire, int $expiration, int $user_id, string $scheme, string $token )
-
Fires immediately before the logged-in authentication cookie is set.
Skip to note 4 content
axew3
On 5.3 it seem to me that:
wp_set_auth_cookie( $user->ID, true, is_ssl() );do not set a remember me session
while this way set a remember me session:
wp_set_auth_cookie( $user->ID, 1, is_ssl() );Skip to note 5 content
Rohit Sharma
You can do WordPress Login without password.
// First get the user details $user = get_user_by('login', $username ); // If no error received, set the WP Cookie if ( !is_wp_error( $user ) ) { wp_clear_auth_cookie(); wp_set_current_user ( $user->ID ); // Set the current user detail wp_set_auth_cookie ( $user->ID ); // Set auth details in cookie $message = "Logged in successfully"; } else { $message = "Failed to log in"; } echo $message;Skip to note 6 content
wilhelmforfot
Would rather recommend to use a login form than this function.
Problem with this function is that no admin rights works. Like updating posts or settings will redirect you to
“The link you followed has expired.” (Cause for some reason your link expired in 1986 (Expires: Wed, 11 Jan 1984 05:00:00 GMT))