wp_signon( array $credentials = array(), string|bool $secure_cookie = '' ): WP_User|WP_Error

Authenticates and logs a user in with ‘remember’ capability.

Contents

Description

The credentials is an array that has ‘user_login’, ‘user_password’, and ‘remember’ indices. If the credentials is not given, then the log in form will be assumed and used if set.

The various authentication cookies will be set by this function and will be set for a longer period depending on if the ‘remember’ credential is set to true.

Note: wp_signon() doesn’t handle setting the current user. This means that if the function is called before the ‘init’ hook is fired, is_user_logged_in() will evaluate as false until that point. If is_user_logged_in() is needed in conjunction with wp_signon() , wp_set_current_user() should be called explicitly.

Top ↑

Parameters

$credentials array Optional
User info in order to sign on.
  • user_login string
    Username.
  • user_password string
    User password.
  • remember bool
    Whether to 'remember' the user. Increases the time that the cookie will be kept. Default false.

Default: array()

$secure_cookie string|bool Optional
Whether to use secure cookie.

Default: ''

Top ↑

Return

WP_User|WP_Error WP_User on success, WP_Error on failure.

Top ↑

More Information

If you don’t provide $credentials, wp_signon uses the $_POST variable (the keys being “log”, “pwd” and “rememberme”).

This function sends headers to the page. It must be run before any content is returned.

This function sets an authentication cookie. Users will not be logged in if it is not sent.

 

Top ↑

Source

File: wp-includes/user.php. View all references 

function wp_signon( $credentials = array(), $secure_cookie = '' ) {
	if ( empty( $credentials ) ) {
		$credentials = array(
			'user_login'    => '',
			'user_password' => '',
			'remember'      => false,
		);

		if ( ! empty( $_POST['log'] ) ) {
			$credentials['user_login'] = wp_unslash( $_POST['log'] );
		}
		if ( ! empty( $_POST['pwd'] ) ) {
			$credentials['user_password'] = $_POST['pwd'];
		}
		if ( ! empty( $_POST['rememberme'] ) ) {
			$credentials['remember'] = $_POST['rememberme'];
		}
	}

	if ( ! empty( $credentials['remember'] ) ) {
		$credentials['remember'] = true;
	} else {
		$credentials['remember'] = false;
	}

	/**
	 * Fires before the user is authenticated.
	 *
	 * The variables passed to the callbacks are passed by reference,
	 * and can be modified by callback functions.
	 *
	 * @since 1.5.1
	 *
	 * @todo Decide whether to deprecate the wp_authenticate action.
	 *
	 * @param string $user_login    Username (passed by reference).
	 * @param string $user_password User password (passed by reference).
	 */
	do_action_ref_array( 'wp_authenticate', array( &$credentials['user_login'], &$credentials['user_password'] ) );

	if ( '' === $secure_cookie ) {
		$secure_cookie = is_ssl();
	}

	/**
	 * Filters whether to use a secure sign-on cookie.
	 *
	 * @since 3.1.0
	 *
	 * @param bool  $secure_cookie Whether to use a secure sign-on cookie.
	 * @param array $credentials {
	 *     Array of entered sign-on data.
	 *
	 *     @type string $user_login    Username.
	 *     @type string $user_password Password entered.
	 *     @type bool   $remember      Whether to 'remember' the user. Increases the time
	 *                                 that the cookie will be kept. Default false.
	 * }
	 */
	$secure_cookie = apply_filters( 'secure_signon_cookie', $secure_cookie, $credentials );

	global $auth_secure_cookie; // XXX ugly hack to pass this to wp_authenticate_cookie().
	$auth_secure_cookie = $secure_cookie;

	add_filter( 'authenticate', 'wp_authenticate_cookie', 30, 3 );

	$user = wp_authenticate( $credentials['user_login'], $credentials['user_password'] );

	if ( is_wp_error( $user ) ) {
		return $user;
	}

	wp_set_auth_cookie( $user->ID, $credentials['remember'], $secure_cookie );
	/**
	 * Fires after the user has successfully logged in.
	 *
	 * @since 1.5.0
	 *
	 * @param string  $user_login Username.
	 * @param WP_User $user       WP_User object of the logged-in user.
	 */
	do_action( 'wp_login', $user->user_login, $user );
	return $user;
}

View on Trac View on GitHub

Top ↑

Hooks

Top ↑

Top ↑

Uses

Uses
Uses Description
wp_set_auth_cookie() wp-includes/pluggable.php

Sets the authentication cookies based on user ID.
wp_authenticate() wp-includes/pluggable.php

Authenticates a user, confirming the login credentials are valid.
is_ssl() wp-includes/load.php

Determines if SSL is used.
do_action_ref_array() wp-includes/plugin.php

Calls the callback functions that have been added to an action hook, specifying arguments in an array.
wp_unslash() wp-includes/formatting.php

Removes slashes from a string or recursively removes slashes from strings within an array.
apply_filters() wp-includes/plugin.php

Calls the callback functions that have been added to a filter hook.
add_filter() wp-includes/plugin.php

Adds a callback function to a filter hook.
do_action() wp-includes/plugin.php

Calls the callback functions that have been added to an action hook.
is_wp_error() wp-includes/load.php

Checks whether the given variable is a WordPress Error.
Show 5 more uses Hide more uses

Top ↑

Changelog

Changelog
Version Description
2.5.0 Introduced.

Top ↑

User Contributed Notes

  1. Skip to note 1 content
    You must log in to vote on the helpfulness of this noteVote results for this note: 5You must log in to vote on the helpfulness of this note
    Contributed by Codex

    This function and action can be placed in functions.php of the theme.

    Using the hook after_setup_theme will make it run before the headers and cookies are sent, so it can set the needed cookie for login.

    /**
 * Perform automatic login.
 */
function wpdocs_custom_login() {
	$creds = array(
		'user_login'    => 'example',
		'user_password' => 'plaintextpw',
		'remember'      => true
	);

	$user = wp_signon( $creds, false );

	if ( is_wp_error( $user ) ) {
		echo $user->get_error_message();
	}
}

// Run before the headers and cookies are sent.
add_action( 'after_setup_theme', 'wpdocs_custom_login' );
  2. Skip to note 2 content
    You must log in to vote on the helpfulness of this noteVote results for this note: 5You must log in to vote on the helpfulness of this note
    Contributed by cogdog

    If you want to cover your bases for SSL sites that need a secure cookie, I use (where $creds is the array of login credentials)


    $autologin_user = wp_signon( $creds, is_ssl() );

  3. Skip to note 3 content
    You must log in to vote on the helpfulness of this noteVote results for this note: 2You must log in to vote on the helpfulness of this note
    Contributed by cogdog

    I have some sites where in code I log in a visitor to a hidden account (to enable media uploads form front end form), admin bar is hidden, and access to dashboard is blocked. But I have a report where wp_signon() fails and my hunch is because it is on site with SSL. I am guessing I need to use the $secure_cookie option, but I cannot find any info on how to do this.

    My guess is I need to set the cookie first with wp_set_auth_cookie() ?? The option there for $secure too is unclear.

    And if this is a case, do I need to test first if the host is running SSL? Will setting this cookie on an http:// site break the universe?

You must log in before being able to contribute a note or feedback.