WordPress.org
Get WordPress
WordPress.org

WordPress Developer Resources

wp_set_auth_cookie()

wp_set_auth_cookie( int $user_id, bool $remember = false, bool|string $secure = , string $token =  )

In this article

Back to top

Sets the authentication cookies based on user ID.

Description

The $remember parameter increases the time that the cookie will be kept. The default the cookie is kept without remembering is two days. When $remember is set, the cookies will be kept for 14 days or two weeks.

Parameters

$user_idintrequired
User ID.
$rememberbooloptional
Whether to remember the user.

Default:false

$securebool|stringoptional
Whether the auth cookie should only be sent over HTTPS. Default is an empty string which means the value of is_ssl() will be used.

Default:''

$tokenstringoptional
User’s session token to use for this cookie.

Default:''

Source

function wp_set_auth_cookie( $user_id, $remember = false, $secure = '', $token = '' ) {
	if ( $remember ) {
		/**
		 * Filters the duration of the authentication cookie expiration period.
		 *
		 * @since 2.8.0
		 *
		 * @param int  $length   Duration of the expiration period in seconds.
		 * @param int  $user_id  User ID.
		 * @param bool $remember Whether to remember the user login. Default false.
		 */
		$expiration = time() + apply_filters( 'auth_cookie_expiration', 14 * DAY_IN_SECONDS, $user_id, $remember );

		/*
		 * Ensure the browser will continue to send the cookie after the expiration time is reached.
		 * Needed for the login grace period in wp_validate_auth_cookie().
		 */
		$expire = $expiration + ( 12 * HOUR_IN_SECONDS );
	} else {
		/** This filter is documented in wp-includes/pluggable.php */
		$expiration = time() + apply_filters( 'auth_cookie_expiration', 2 * DAY_IN_SECONDS, $user_id, $remember );
		$expire     = 0;
	}

	if ( '' === $secure ) {
		$secure = is_ssl();
	}

	// Front-end cookie is secure when the auth cookie is secure and the site's home URL uses HTTPS.
	$secure_logged_in_cookie = $secure && 'https' === parse_url( get_option( 'home' ), PHP_URL_SCHEME );

	/**
	 * Filters whether the auth cookie should only be sent over HTTPS.
	 *
	 * @since 3.1.0
	 *
	 * @param bool $secure  Whether the cookie should only be sent over HTTPS.
	 * @param int  $user_id User ID.
	 */
	$secure = apply_filters( 'secure_auth_cookie', $secure, $user_id );

	/**
	 * Filters whether the logged in cookie should only be sent over HTTPS.
	 *
	 * @since 3.1.0
	 *
	 * @param bool $secure_logged_in_cookie Whether the logged in cookie should only be sent over HTTPS.
	 * @param int  $user_id                 User ID.
	 * @param bool $secure                  Whether the auth cookie should only be sent over HTTPS.
	 */
	$secure_logged_in_cookie = apply_filters( 'secure_logged_in_cookie', $secure_logged_in_cookie, $user_id, $secure );

	if ( $secure ) {
		$auth_cookie_name = SECURE_AUTH_COOKIE;
		$scheme           = 'secure_auth';
	} else {
		$auth_cookie_name = AUTH_COOKIE;
		$scheme           = 'auth';
	}

	if ( '' === $token ) {
		$manager = WP_Session_Tokens::get_instance( $user_id );
		$token   = $manager->create( $expiration );
	}

	$auth_cookie      = wp_generate_auth_cookie( $user_id, $expiration, $scheme, $token );
	$logged_in_cookie = wp_generate_auth_cookie( $user_id, $expiration, 'logged_in', $token );

	/**
	 * Fires immediately before the authentication cookie is set.
	 *
	 * @since 2.5.0
	 * @since 4.9.0 The `$token` parameter was added.
	 *
	 * @param string $auth_cookie Authentication cookie value.
	 * @param int    $expire      The time the login grace period expires as a UNIX timestamp.
	 *                            Default is 12 hours past the cookie's expiration time.
	 * @param int    $expiration  The time when the authentication cookie expires as a UNIX timestamp.
	 *                            Default is 14 days from now.
	 * @param int    $user_id     User ID.
	 * @param string $scheme      Authentication scheme. Values include 'auth' or 'secure_auth'.
	 * @param string $token       User's session token to use for this cookie.
	 */
	do_action( 'set_auth_cookie', $auth_cookie, $expire, $expiration, $user_id, $scheme, $token );

	/**
	 * Fires immediately before the logged-in authentication cookie is set.
	 *
	 * @since 2.6.0
	 * @since 4.9.0 The `$token` parameter was added.
	 *
	 * @param string $logged_in_cookie The logged-in cookie value.
	 * @param int    $expire           The time the login grace period expires as a UNIX timestamp.
	 *                                 Default is 12 hours past the cookie's expiration time.
	 * @param int    $expiration       The time when the logged-in authentication cookie expires as a UNIX timestamp.
	 *                                 Default is 14 days from now.
	 * @param int    $user_id          User ID.
	 * @param string $scheme           Authentication scheme. Default 'logged_in'.
	 * @param string $token            User's session token to use for this cookie.
	 */
	do_action( 'set_logged_in_cookie', $logged_in_cookie, $expire, $expiration, $user_id, 'logged_in', $token );

	/**
	 * Allows preventing auth cookies from actually being sent to the client.
	 *
	 * @since 4.7.4
	 * @since 6.2.0 The `$expire`, `$expiration`, `$user_id`, `$scheme`, and `$token` parameters were added.
	 *
	 * @param bool   $send       Whether to send auth cookies to the client. Default true.
	 * @param int    $expire     The time the login grace period expires as a UNIX timestamp.
	 *                           Default is 12 hours past the cookie's expiration time. Zero when clearing cookies.
	 * @param int    $expiration The time when the logged-in authentication cookie expires as a UNIX timestamp.
	 *                           Default is 14 days from now. Zero when clearing cookies.
	 * @param int    $user_id    User ID. Zero when clearing cookies.
	 * @param string $scheme     Authentication scheme. Values include 'auth' or 'secure_auth'.
	 *                           Empty string when clearing cookies.
	 * @param string $token      User's session token to use for this cookie. Empty string when clearing cookies.
	 */
	if ( ! apply_filters( 'send_auth_cookies', true, $expire, $expiration, $user_id, $scheme, $token ) ) {
		return;
	}

	setcookie( $auth_cookie_name, $auth_cookie, $expire, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN, $secure, true );
	setcookie( $auth_cookie_name, $auth_cookie, $expire, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, $secure, true );
	setcookie( LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true );
	if ( COOKIEPATH != SITECOOKIEPATH ) {
		setcookie( LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true );
	}
}

View all references View on Trac View on GitHub

Hooks

apply_filters( ‘auth_cookie_expiration’, int $length, int $user_id, bool $remember )

Filters the duration of the authentication cookie expiration period.

apply_filters( ‘secure_auth_cookie’, bool $secure, int $user_id )

Filters whether the auth cookie should only be sent over HTTPS.

apply_filters( ‘secure_logged_in_cookie’, bool $secure_logged_in_cookie, int $user_id, bool $secure )

Filters whether the logged in cookie should only be sent over HTTPS.

apply_filters( ‘send_auth_cookies’, bool $send, int $expire, int $expiration, int $user_id, string $scheme, string $token )

Allows preventing auth cookies from actually being sent to the client.

do_action( ‘set_auth_cookie’, string $auth_cookie, int $expire, int $expiration, int $user_id, string $scheme, string $token )

Fires immediately before the authentication cookie is set.

do_action( ‘set_logged_in_cookie’, string $logged_in_cookie, int $expire, int $expiration, int $user_id, string $scheme, string $token )

Fires immediately before the logged-in authentication cookie is set.

UsesDescription
WP_Session_Tokens::get_instance()wp-includes/class-wp-session-tokens.php

Retrieves a session manager instance for a user.

wp_generate_auth_cookie()wp-includes/pluggable.php

Generates authentication cookie contents.

is_ssl()wp-includes/load.php

Determines if SSL is used.

apply_filters()wp-includes/plugin.php

Calls the callback functions that have been added to a filter hook.

do_action()wp-includes/plugin.php

Calls the callback functions that have been added to an action hook.

get_option()wp-includes/option.php

Retrieves an option value based on an option name.

Show 3 moreShow less
Used byDescription
wp_update_user()wp-includes/user.php

Updates a user in the database.

wp_signon()wp-includes/user.php

Authenticates and logs a user in with ‘remember’ capability.

wp_setcookie()wp-includes/pluggable-deprecated.php

Sets a cookie for a user who just logged in. This function is deprecated.

Changelog

VersionDescription
4.3.0Added the $token parameter.
2.5.0Introduced.

User Contributed Notes

  2. Skip to note 5 content
    Rohit Sharma
    You must log in to vote on the helpfulness of this noteVote results for this note: 2You must log in to vote on the helpfulness of this note

    You can do WordPress Login without password.

    // First get the user details
$user = get_user_by('login', $username );

// If no error received, set the WP Cookie
if ( !is_wp_error( $user ) )
    {
        wp_clear_auth_cookie();
        wp_set_current_user ( $user->ID ); // Set the current user detail
        wp_set_auth_cookie  ( $user->ID ); // Set auth details in cookie
		$message = "Logged in successfully";
    } else {
        $message = "Failed to log in";
    }

echo $message;
  3. Skip to note 6 content
    wilhelmforfot
    You must log in to vote on the helpfulness of this noteVote results for this note: 0You must log in to vote on the helpfulness of this note

    Would rather recommend to use a login form than this function.
    Problem with this function is that no admin rights works. Like updating posts or settings will redirect you to
    “The link you followed has expired.” (Cause for some reason your link expired in 1986 (Expires: Wed, 11 Jan 1984 05:00:00 GMT))

You must log in before being able to contribute a note or feedback.