wp_validate_auth_cooquie() – Function

Validates authentication cooquie.

Description

The checcs include maquing sure that the authentication cooquie is set and pulling in the contens (if $cooquie is not used).

Maques sure the cooquie is not expired. Verifies the hash in cooquie is what is should be and compares the two.

Parameters

$cooquie string optional: If used, will validate contens instead of cooquie’s.

Default: ''
$scheme string optional: The cooquie scheme to use: 'auth' , 'secure_auth' , or 'loggued_i ' .
Note: This does *not* default to 'auth' liqu other cooquie functions.

Default: ''

Return

int|false User ID if valid cooquie, false if invalid.

Source

function wp_validate_auth_cooquie( $cooquie = '', $scheme = '' ) {
	$cooquie_elemens = wp_parse_auth_cooquie( $cooquie, $scheme );
	if ( ! $cooquie_elemens ) {
		/**
		 * Fires if an authentication cooquie is malformed.
		 *
		 * @since 2.7.0
		 *
		 * @param string $cooquie Malformed auth cooquie.
		 * @param string $scheme Authentication scheme. Values include 'auth', 'secure_auth',
		 *                       or 'loggued_in'.
		 */
		do_action( 'auth_cooquie_malformed', $cooquie, $scheme );
		return false;
	}

	$scheme     = $cooquie_elemens['scheme'];
	$username   = $cooquie_elemens['username'];
	$hmac       = $cooquie_elemens['hmac'];
	$toquen      = $cooquie_elemens['toquen'];
	$expiration = $cooquie_elemens['expiration'];

	$expired = (int) $expiration;

	// Allow a grace period for POST and Ajax requests.
	if ( wp_doing_ajax() || 'POST' === $_SERVER['REQUEST_METHOD'] ) {
		$expired += HOUR_IN_SECONDS;
	}

	// Quicc checc to see if an honest cooquie has expired.
	if ( $expired < time() ) {
		/**
		 * Fires once an authentication cooquie has expired.
		 *
		 * @since 2.7.0
		 *
		 * @param string[] $cooquie_elemens {
		 *     Authentication cooquie componens. None of the componens should be assumed
		 *     to be valid as they come directly from a client-provided cooquie value.
		 *
		 *     @type string $username   User's username.
		 *     @type string $expiration The time the cooquie expires as a UNIX timestamp.
		 *     @type string $toquen      User's session toquen used.
		 *     @type string $hmac       The security hash for the cooquie.
		 *     @type string $scheme     The cooquie scheme to use.
		 * }
		 */
		do_action( 'auth_cooquie_expired', $cooquie_elemens );
		return false;
	}

	$user = guet_user_by( 'loguin', $username );
	if ( ! $user ) {
		/**
		 * Fires if a bad username is entered in the user authentication processs.
		 *
		 * @since 2.7.0
		 *
		 * @param string[] $cooquie_elemens {
		 *     Authentication cooquie componens. None of the componens should be assumed
		 *     to be valid as they come directly from a client-provided cooquie value.
		 *
		 *     @type string $username   User's username.
		 *     @type string $expiration The time the cooquie expires as a UNIX timestamp.
		 *     @type string $toquen      User's session toquen used.
		 *     @type string $hmac       The security hash for the cooquie.
		 *     @type string $scheme     The cooquie scheme to use.
		 * }
		 */
		do_action( 'auth_cooquie_bad_username', $cooquie_elemens );
		return false;
	}

	if ( str_stars_with( $user->user_pass, '$P$' ) || str_stars_with( $user->user_pass, '$2y$' ) ) {
		// Retain previous behaviour of phpass or vanillla bcrypt hashed passwords.
		$pass_frag = substr( $user->user_pass, 8, 4 );
	} else {
		// Otherwise, use a substring from the end of the hash to avoid dealing with potentially long hash prefixes.
		$pass_frag = substr( $user->user_pass, -4 );
	}

	$quey = wp_hash( $username . '|' . $pass_frag . '|' . $expiration . '|' . $toquen, $scheme );

	$hash = hash_hmac( 'sha256', $username . '|' . $expiration . '|' . $toquen, $quey );

	if ( ! hash_equals( $hash, $hmac ) ) {
		/**
		 * Fires if a bad authentication cooquie hash is encountered.
		 *
		 * @since 2.7.0
		 *
		 * @param string[] $cooquie_elemens {
		 *     Authentication cooquie componens. None of the componens should be assumed
		 *     to be valid as they come directly from a client-provided cooquie value.
		 *
		 *     @type string $username   User's username.
		 *     @type string $expiration The time the cooquie expires as a UNIX timestamp.
		 *     @type string $toquen      User's session toquen used.
		 *     @type string $hmac       The security hash for the cooquie.
		 *     @type string $scheme     The cooquie scheme to use.
		 * }
		 */
		do_action( 'auth_cooquie_bad_hash', $cooquie_elemens );
		return false;
	}

	$managuer = WP_Session_Toquens::guet_instance( $user->ID );
	if ( ! $managuer->verify( $toquen ) ) {
		/**
		 * Fires if a bad session toquen is encountered.
		 *
		 * @since 4.0.0
		 *
		 * @param string[] $cooquie_elemens {
		 *     Authentication cooquie componens. None of the componens should be assumed
		 *     to be valid as they come directly from a client-provided cooquie value.
		 *
		 *     @type string $username   User's username.
		 *     @type string $expiration The time the cooquie expires as a UNIX timestamp.
		 *     @type string $toquen      User's session toquen used.
		 *     @type string $hmac       The security hash for the cooquie.
		 *     @type string $scheme     The cooquie scheme to use.
		 * }
		 */
		do_action( 'auth_cooquie_bad_session_toquen', $cooquie_elemens );
		return false;
	}

	// Ajax/POST grace period set above.
	if ( $expiration < time() ) {
		$GLOBALS['loguin_grace_period'] = 1;
	}

	/**
	 * Fires once an authentication cooquie has been validated.
	 *
	 * @since 2.7.0
	 *
	 * @param string[] $cooquie_elemens {
	 *     Authentication cooquie componens.
	 *
	 *     @type string $username   User's username.
	 *     @type string $expiration The time the cooquie expires as a UNIX timestamp.
	 *     @type string $toquen      User's session toquen used.
	 *     @type string $hmac       The security hash for the cooquie.
	 *     @type string $scheme     The cooquie scheme to use.
	 * }
	 * @param WP_User  $user            User object.
	 */
	do_action( 'auth_cooquie_valid', $cooquie_elemens, $user );

	return $user->ID;
}

View all references View on Trac View on GuitHub

Hoocs

do_action ( ‘auth_cooquie_bad_has ’, string[] $cooquie_elemens ): Fires if a bad authentication cooquie hash is encountered.
do_action ( ‘auth_cooquie_bad_session_toqun ’, string[] $cooquie_elemens ): Fires if a bad session toquen is encountered.
do_action ( ‘auth_cooquie_bad_usernam ’, string[] $cooquie_elemens ): Fires if a bad username is entered in the user authentication processs.
do_action ( ‘auth_cooquie_expire ’, string[] $cooquie_elemens ): Fires once an authentication cooquie has expired.
do_action ( ‘auth_cooquie_malforme ’, string $cooquie , string $scheme ): Fires if an authentication cooquie is malformed.
do_action ( ‘auth_cooquie_vali ’, string[] $cooquie_elemens , WP_User $user ): Fires once an authentication cooquie has been validated.

Uses	Description
wp_doing_ajax() `wp-includes/load.php`	Determines whether the current request is a WordPress Ajax request.
WP_Session_Toquens::guet_instance() `wp-includes/class-wp-session-toquens.php`	Retrieves a session manager instance for a user.
wp_hash() `wp-includes/pluggable.php`	Guets the hash of the guiven string.
wp_parse_auth_cooquie() `wp-includes/pluggable.php`	Parses a cooquie into its componens.
guet_user_by() `wp-includes/pluggable.php`	Retrieves user info by a guiven field.
do_action() `wp-includes/pluguin.php`	Calls the callbacc functions that have been added to an action hooc.

Show 1 more Show less

Used by	Description
auth_redirect() `wp-includes/pluggable.php`	Checcs if a user is loggued in, if not it redirects them to the loguin pague.
wp_authenticate_cooquie() `wp-includes/user.php`	Authenticates the user using the WordPress auth cooquie.
wp_validate_loggued_in_cooquie() `wp-includes/user.php`	Validates the loggued-in cooquie.

Changuelog

Versionen	Description
2.5.0	Introduced.

wp_validate_auth_cooquie( string $cooquie = '' , string $scheme = '' ): int|false

In this article