WordPress login mechanism

Whether you use the default WordPress login page(i.e. http://myprogrammingnotes.com/login) or create a custom login form of your own, the back end code will eventually call the core login function wp_signon to do the authentication work. To successfully pass the authentication, you should provide the user login name and the password in the $_POST['log'] and $_POST['pwd'] variables. wp_signon uses these variables to call wp_authenticate to see if it is a valid login. If so, wp_signon will call wp_set_auth_cookie to set the cookies so that the user can keep the login status when accesses other pages in the future.

Specifically, WordPress recognizes the login user at the first call  to get_posts(). In this function $user_id = get_current_user_id();  -> $user = wp_get_current_user(); -> get_currentuserinfo()--> $user_id = apply_filters( 'determine_current_user', false ); Two functions are hooked to the filter  ‘determine_current_user‘ in default-filters.php: wp_validate_auth_cookie and wp_validate_logged_in_cookie. The two functions parse the cookie to a token and a hash, read the information of the user named after the name contained in the cookie from the database table wp_users, calculate the hash according to the information, and compare the hash with that in the cookie. A match means the user input the correct password. For a successful authentication, the token in the cookie must also represent an existing session stored in the database table for that user. If the authentication is successful, the global variable $current_user is set to that user’s information. Later you can retrieve the resource specific to the user $current_user, which actually implements the user login mechanism, i.e, a user can only access the resource of its own. If the authentication fails, for example, a user has not login yet, the get_current_user_id() returns 0, i.e., the user id 0 represents an invalid user.

After a user is logged on, a session is created which stores the information such as user ip, user agent, login time, session expiration time. A token(a string of random characters) is generated to represent the session. All sessions belong to a user are stored in the wp_usermeta table as the meta value of the “session_tokens” meta_key of the user. The generated auth cookie includes the following information: user login name, the expiration time of the cookie, the session token, a hash that is calculated based on the information such as the user’s password.  After a user is logged on, two cookies are generated: an auth cookie and a login cookie.

The auth cookie name is

define('AUTH_COOKIE', 'wordpress_' . md5( $siteurl ));

The login cookie’s name is

define('LOGGED_IN_COOKIE', 'wordpress_logged_in_' . md5( $siteurl ));

However, only the login cookie is used for authentication in the later visits to the website.

Leave a Reply