wp_validate_auth_cookie()
云策文档标注
概述
wp_validate_auth_cookie() 函数用于验证 WordPress 认证 Cookie 的有效性,包括检查 Cookie 设置、过期时间、哈希值和会话令牌等。它返回用户 ID 或 false,并支持多种 Cookie 方案。
关键要点
- 验证认证 Cookie 的完整性、过期状态、哈希匹配和会话令牌有效性。
- 参数 $cookie 可选,用于指定 Cookie 字符串;$scheme 可选,指定 Cookie 方案('auth'、'secure_auth' 或 'logged_in'),不默认使用 'auth'。
- 返回用户 ID(整数)或 false(无效时)。
- 包含多个 Hook,如 auth_cookie_malformed、auth_cookie_bad_hash 等,用于处理验证过程中的不同事件。
- 内部使用 wp_parse_auth_cookie() 解析 Cookie,wp_hash() 生成密钥,并与 WP_Session_Tokens 交互验证令牌。
代码示例
function wp_validate_auth_cookie( $cookie = '', $scheme = '' ) {
$cookie_elements = wp_parse_auth_cookie( $cookie, $scheme );
if ( ! $cookie_elements ) {
do_action( 'auth_cookie_malformed', $cookie, $scheme );
return false;
}
// 更多验证逻辑...
}注意事项
- 该函数不默认使用 'auth' 方案,需显式指定或通过 wp_parse_auth_cookie() 获取。
- 对于 POST 和 Ajax 请求,允许一个小时的宽限期处理过期 Cookie。
- 验证过程涉及敏感数据,确保安全处理 Cookie 元素。
原文内容
Validates authentication cookie.
Description
The checks include making sure that the authentication cookie is set and pulling in the contents (if $cookie is not used).
Makes sure the cookie is not expired. Verifies the hash in cookie is what is should be and compares the two.
Parameters
$cookiestringoptional-
If used, will validate contents instead of cookie’s.
$schemestringoptional-
The cookie scheme to use:
'auth','secure_auth', or'logged_in'.
Note: This does *not* default to'auth'like other cookie functions.
Source
function wp_validate_auth_cookie( $cookie = '', $scheme = '' ) {
$cookie_elements = wp_parse_auth_cookie( $cookie, $scheme );
if ( ! $cookie_elements ) {
/**
* Fires if an authentication cookie is malformed.
*
* @since 2.7.0
*
* @param string $cookie Malformed auth cookie.
* @param string $scheme Authentication scheme. Values include 'auth', 'secure_auth',
* or 'logged_in'.
*/
do_action( 'auth_cookie_malformed', $cookie, $scheme );
return false;
}
$scheme = $cookie_elements['scheme'];
$username = $cookie_elements['username'];
$hmac = $cookie_elements['hmac'];
$token = $cookie_elements['token'];
$expiration = $cookie_elements['expiration'];
$expired = (int) $expiration;
// Allow a grace period for POST and Ajax requests.
if ( wp_doing_ajax() || 'POST' === $_SERVER['REQUEST_METHOD'] ) {
$expired += HOUR_IN_SECONDS;
}
// Quick check to see if an honest cookie has expired.
if ( $expired < time() ) {
/**
* Fires once an authentication cookie has expired.
*
* @since 2.7.0
*
* @param string[] $cookie_elements {
* Authentication cookie components. None of the components should be assumed
* to be valid as they come directly from a client-provided cookie value.
*
* @type string $username User's username.
* @type string $expiration The time the cookie expires as a UNIX timestamp.
* @type string $token User's session token used.
* @type string $hmac The security hash for the cookie.
* @type string $scheme The cookie scheme to use.
* }
*/
do_action( 'auth_cookie_expired', $cookie_elements );
return false;
}
$user = get_user_by( 'login', $username );
if ( ! $user ) {
/**
* Fires if a bad username is entered in the user authentication process.
*
* @since 2.7.0
*
* @param string[] $cookie_elements {
* Authentication cookie components. None of the components should be assumed
* to be valid as they come directly from a client-provided cookie value.
*
* @type string $username User's username.
* @type string $expiration The time the cookie expires as a UNIX timestamp.
* @type string $token User's session token used.
* @type string $hmac The security hash for the cookie.
* @type string $scheme The cookie scheme to use.
* }
*/
do_action( 'auth_cookie_bad_username', $cookie_elements );
return false;
}
if ( str_starts_with( $user->user_pass, '$P$' ) || str_starts_with( $user->user_pass, '$2y$' ) ) {
// Retain previous behaviour of phpass or vanilla bcrypt hashed passwords.
$pass_frag = substr( $user->user_pass, 8, 4 );
} else {
// Otherwise, use a substring from the end of the hash to avoid dealing with potentially long hash prefixes.
$pass_frag = substr( $user->user_pass, -4 );
}
$key = wp_hash( $username . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme );
$hash = hash_hmac( 'sha256', $username . '|' . $expiration . '|' . $token, $key );
if ( ! hash_equals( $hash, $hmac ) ) {
/**
* Fires if a bad authentication cookie hash is encountered.
*
* @since 2.7.0
*
* @param string[] $cookie_elements {
* Authentication cookie components. None of the components should be assumed
* to be valid as they come directly from a client-provided cookie value.
*
* @type string $username User's username.
* @type string $expiration The time the cookie expires as a UNIX timestamp.
* @type string $token User's session token used.
* @type string $hmac The security hash for the cookie.
* @type string $scheme The cookie scheme to use.
* }
*/
do_action( 'auth_cookie_bad_hash', $cookie_elements );
return false;
}
$manager = WP_Session_Tokens::get_instance( $user->ID );
if ( ! $manager->verify( $token ) ) {
/**
* Fires if a bad session token is encountered.
*
* @since 4.0.0
*
* @param string[] $cookie_elements {
* Authentication cookie components. None of the components should be assumed
* to be valid as they come directly from a client-provided cookie value.
*
* @type string $username User's username.
* @type string $expiration The time the cookie expires as a UNIX timestamp.
* @type string $token User's session token used.
* @type string $hmac The security hash for the cookie.
* @type string $scheme The cookie scheme to use.
* }
*/
do_action( 'auth_cookie_bad_session_token', $cookie_elements );
return false;
}
// Ajax/POST grace period set above.
if ( $expiration < time() ) {
$GLOBALS['login_grace_period'] = 1;
}
/**
* Fires once an authentication cookie has been validated.
*
* @since 2.7.0
*
* @param string[] $cookie_elements {
* Authentication cookie components.
*
* @type string $username User's username.
* @type string $expiration The time the cookie expires as a UNIX timestamp.
* @type string $token User's session token used.
* @type string $hmac The security hash for the cookie.
* @type string $scheme The cookie scheme to use.
* }
* @param WP_User $user User object.
*/
do_action( 'auth_cookie_valid', $cookie_elements, $user );
return $user->ID;
}
Hooks
- do_action( ‘auth_cookie_bad_hash’, string[] $cookie_elements )
-
Fires if a bad authentication cookie hash is encountered.
- do_action( ‘auth_cookie_bad_session_token’, string[] $cookie_elements )
-
Fires if a bad session token is encountered.
- do_action( ‘auth_cookie_bad_username’, string[] $cookie_elements )
-
Fires if a bad username is entered in the user authentication process.
- do_action( ‘auth_cookie_expired’, string[] $cookie_elements )
-
Fires once an authentication cookie has expired.
- do_action( ‘auth_cookie_malformed’, string $cookie, string $scheme )
-
Fires if an authentication cookie is malformed.
- do_action( ‘auth_cookie_valid’, string[] $cookie_elements, WP_User $user )
-
Fires once an authentication cookie has been validated.
Changelog
| Version | Description |
|---|---|
| 2.5.0 | Introduced. |