wp_signon()

💡 云策文档标注

概述

wp_signon() 函数用于验证用户凭据并登录用户，支持“记住我”功能。它设置认证 Cookie，并可在登录前后触发相关 Hook。

关键要点

函数接受 $credentials 数组参数，包含 user_login、user_password 和 remember 键，若未提供则从 $_POST 中获取。
成功时返回 WP_User 对象，失败时返回 WP_Error 对象。
默认情况下，$secure_cookie 参数基于 is_ssl() 自动判断，但可通过过滤器 secure_signon_cookie 自定义。
函数在登录前触发 wp_authenticate action，登录后触发 wp_login action。
注意：wp_signon() 不自动设置当前用户，若在 'init' hook 前调用，需显式调用 wp_set_current_user() 以确保 is_user_logged_in() 正确工作。
函数发送 HTTP 头部，必须在输出内容前调用。

代码示例

function wpdocs_custom_login() {
    $creds = array(
        'user_login'    => 'example',
        'user_password' => 'plaintextpw',
        'remember'      => true
    );

    $user = wp_signon( $creds, false );

    if ( is_wp_error( $user ) ) {
        echo $user->get_error_message();
    }
}
add_action( 'after_setup_theme', 'wpdocs_custom_login' );

注意事项

在 SSL 站点上，建议将 $secure_cookie 设置为 is_ssl() 以确保安全 Cookie。
避免在输出内容后调用此函数，否则可能导致头部已发送错误。

📄 原文内容

Authenticates and logs a user in with ‘remember’ capability.

Description

The credentials is an array that has ‘user_login’, ‘user_password’, and ‘remember’ indices. If the credentials is not given, then the log in form will be assumed and used if set.

The various authentication cookies will be set by this function and will be set for a longer period depending on if the ‘remember’ credential is set to true.

Note: wp_signon() doesn’t handle setting the current user. This means that if the function is called before the ‘init’ hook is fired, is_user_logged_in() will evaluate as false until that point. If is_user_logged_in() is needed in conjunction with wp_signon() , wp_set_current_user() should be called explicitly.

Parameters

$credentialsarrayoptional

User info in order to sign on.

user_login string
Username.
user_password string
User password.
remember bool
Whether to 'remember' the user. Increases the time that the cookie will be kept. Default false.

Default:array()

$secure_cookiestring|booloptional

Whether to use secure cookie.

Return

WP_User|WP_Error WP_User on success, WP_Error on failure.

More Information

If you don’t provide $credentials, wp_signon uses the $_POST variable (the keys being “log”, “pwd” and “rememberme”).

This function sends headers to the page. It must be run before any content is returned.

This function sets an authentication cookie. Users will not be logged in if it is not sent.

Source

function wp_signon( $credentials = array(), $secure_cookie = '' ) {
	global $auth_secure_cookie, $wpdb;

	if ( empty( $credentials ) ) {
		$credentials = array(
			'user_login'    => '',
			'user_password' => '',
			'remember'      => false,
		);

		if ( ! empty( $_POST['log'] ) && is_string( $_POST['log'] ) ) {
			$credentials['user_login'] = wp_unslash( $_POST['log'] );
		}
		if ( ! empty( $_POST['pwd'] ) && is_string( $_POST['pwd'] ) ) {
			$credentials['user_password'] = $_POST['pwd'];
		}
		if ( ! empty( $_POST['rememberme'] ) ) {
			$credentials['remember'] = $_POST['rememberme'];
		}
	}

	if ( ! empty( $credentials['remember'] ) ) {
		$credentials['remember'] = true;
	} else {
		$credentials['remember'] = false;
	}

	/**
	 * Fires before the user is authenticated.
	 *
	 * The variables passed to the callbacks are passed by reference,
	 * and can be modified by callback functions.
	 *
	 * @since 1.5.1
	 *
	 * @todo Decide whether to deprecate the wp_authenticate action.
	 *
	 * @param string $user_login    Username (passed by reference).
	 * @param string $user_password User password (passed by reference).
	 */
	do_action_ref_array( 'wp_authenticate', array( &$credentials['user_login'], &$credentials['user_password'] ) );

	if ( '' === $secure_cookie ) {
		$secure_cookie = is_ssl();
	}

	/**
	 * Filters whether to use a secure sign-on cookie.
	 *
	 * @since 3.1.0
	 *
	 * @param bool  $secure_cookie Whether to use a secure sign-on cookie.
	 * @param array $credentials {
	 *     Array of entered sign-on data.
	 *
	 *     @type string $user_login    Username.
	 *     @type string $user_password Password entered.
	 *     @type bool   $remember      Whether to 'remember' the user. Increases the time
	 *                                 that the cookie will be kept. Default false.
	 * }
	 */
	$secure_cookie = apply_filters( 'secure_signon_cookie', $secure_cookie, $credentials );

	// XXX ugly hack to pass this to wp_authenticate_cookie().
	$auth_secure_cookie = $secure_cookie;

	add_filter( 'authenticate', 'wp_authenticate_cookie', 30, 3 );

	$user = wp_authenticate( $credentials['user_login'], $credentials['user_password'] );

	if ( is_wp_error( $user ) ) {
		return $user;
	}

	wp_set_auth_cookie( $user->ID, $credentials['remember'], $secure_cookie );

	// Clear `user_activation_key` after a successful login.
	if ( ! empty( $user->user_activation_key ) ) {
		$wpdb->update(
			$wpdb->users,
			array(
				'user_activation_key' => '',
			),
			array( 'ID' => $user->ID )
		);

		$user->user_activation_key = '';
	}

	/**
	 * Fires after the user has successfully logged in.
	 *
	 * @since 1.5.0
	 *
	 * @param string  $user_login Username.
	 * @param WP_User $user       WP_User object of the logged-in user.
	 */
	do_action( 'wp_login', $user->user_login, $user );

	return $user;
}

View all references View on Trac View on GitHub

Hooks

apply_filters( ‘secure_signon_cookie’, bool $secure_cookie, array $credentials ): Filters whether to use a secure sign-on cookie.
do_action_ref_array( ‘wp_authenticate’, string $user_login, string $user_password ): Fires before the user is authenticated.
do_action( ‘wp_login’, string $user_login, WP_User $user ): Fires after the user has successfully logged in.

Uses	Description
wp_set_auth_cookie()`wp-includes/pluggable.php`	Sets the authentication cookies for a given user ID.
wp_authenticate()`wp-includes/pluggable.php`	Authenticates a user, confirming the login credentials are valid.
is_ssl()`wp-includes/load.php`	Determines if SSL is used.
do_action_ref_array()`wp-includes/plugin.php`	Calls the callback functions that have been added to an action hook, specifying arguments in an array.
wpdb::update()`wp-includes/class-wpdb.php`	Updates a row in the table.
wp_unslash()`wp-includes/formatting.php`	Removes slashes from a string or recursively removes slashes from strings within an array.
apply_filters()`wp-includes/plugin.php`	Calls the callback functions that have been added to a filter hook.
add_filter()`wp-includes/plugin.php`	Adds a callback function to a filter hook.
do_action()`wp-includes/plugin.php`	Calls the callback functions that have been added to an action hook.
is_wp_error()`wp-includes/load.php`	Checks whether the given variable is a WordPress Error.

Show 5 more Show less

Changelog

Version	Description
2.5.0	Introduced.

User Contributed Notes

Skip to note 4 content

Codex

11 years ago

This function and action can be placed in functions.php of the theme.

Using the hook after_setup_theme will make it run before the headers and cookies are sent, so it can set the needed cookie for login.

/**
 * Perform automatic login.
 */
function wpdocs_custom_login() {
	$creds = array(
		'user_login'    => 'example',
		'user_password' => 'plaintextpw',
		'remember'      => true
	);

	$user = wp_signon( $creds, false );

	if ( is_wp_error( $user ) ) {
		echo $user->get_error_message();
	}
}

// Run before the headers and cookies are sent.
add_action( 'after_setup_theme', 'wpdocs_custom_login' );

Skip to note 5 content

cogdog

8 years ago

You must log in to vote on the helpfulness of this noteVote results for this note: 4You must log in to vote on the helpfulness of this note

If you want to cover your bases for SSL sites that need a secure cookie, I use (where $creds is the array of login credentials)

<br /> $autologin_user = wp_signon( $creds, is_ssl() );<br />
- If you’re not explicitly setting the usage of secure cookies, not passing a second argument will default to setting based on the is_ssl method.
  
  Brad Cavanaugh 6 years ago
Log in to add feedback
Skip to note 6 content

cogdog

10 years ago

You must log in to vote on the helpfulness of this noteVote results for this note: 2You must log in to vote on the helpfulness of this note

I have some sites where in code I log in a visitor to a hidden account (to enable media uploads form front end form), admin bar is hidden, and access to dashboard is blocked. But I have a report where wp_signon() fails and my hunch is because it is on site with SSL. I am guessing I need to use the $secure_cookie option, but I cannot find any info on how to do this.

My guess is I need to set the cookie first with wp_set_auth_cookie() ?? The option there for $secure too is unclear.

And if this is a case, do I need to test first if the host is running SSL? Will setting this cookie on an http:// site break the universe?
- If your website is using SSL (Secure Socket Layer), then it is recommended to set the secure flag on the authentication cookie by setting the ‘secure’ argument to true when calling wp_set_auth_cookie(). However, since you’re using wp_signon() which already sets the authentication cookie, you can pass the ‘secure’ argument directly to wp_signon(), for example:
  
  $user = wp_signon( array( ..., 'secure' => is_ssl() ), false );
  
  The second argument of wp_signon() ($secure_cookie) is used to determine whether the WordPress’ default authentication actions should be run or not. By setting it to false, you are indicating that you don’t want the default authentication actions to run, but you still want the authentication cookie to be set. If you set it to true, the default authentication actions will run, but it will also make WordPress start a new session and overwrite any existing authentication cookie, effectively logging out the user.
  
  wpdevlol 3 years ago
Log in to add feedback

云策 WordPress 开发者社区

函数文档