wp_validate_auth_cookie

函数
wp_validate_auth_cookie ( $cookie = '', $scheme = '' )
参数
  • (string) $cookie Optional. If used, will validate contents instead of cookie's.
    Required:
    Default: (empty)
  • (string) $scheme Optional. The cookie scheme to use: 'auth', 'secure_auth', or 'logged_in'.
    Required:
    Default: (empty)
返回值
  • (int|false) User ID if valid cookie, false if invalid.
定义位置
相关方法
wp_clear_auth_cookiewp_parse_auth_cookiewp_generate_auth_cookiewp_set_auth_cookiewp_validate_logged_in_cookie
引入
2.5.0
弃用
-

wp_validate_auth_cookie是一个WordPress函数,用来验证一个认证cookie: 这个函数用来确定一个用户是否登录到一个网站并有一个有效的认证cookie: 该函数将一个cookie作为其输入,如果cookie是有效的,则返回用户ID,如果不是,则返回false。

验证认证 cookie。

检查包括确保认证cookie被设置并拉入内容(如果没有使用$cookie)。

确保cookie没有过期。验证cookie中的哈希值是否符合要求,并对两者进行比较。

function wp_validate_auth_cookie( $cookie = '', $scheme = '' ) {
		$cookie_elements = wp_parse_auth_cookie( $cookie, $scheme );
		if ( ! $cookie_elements ) {
			/**
			 * Fires if an authentication cookie is malformed.
			 *
			 * @since 2.7.0
			 *
			 * @param string $cookie Malformed auth cookie.
			 * @param string $scheme Authentication scheme. Values include 'auth', 'secure_auth',
			 *                       or 'logged_in'.
			 */
			do_action( 'auth_cookie_malformed', $cookie, $scheme );
			return false;
		}

		$scheme     = $cookie_elements['scheme'];
		$username   = $cookie_elements['username'];
		$hmac       = $cookie_elements['hmac'];
		$token      = $cookie_elements['token'];
		$expired    = $cookie_elements['expiration'];
		$expiration = $cookie_elements['expiration'];

		// Allow a grace period for POST and Ajax requests.
		if ( wp_doing_ajax() || 'POST' === $_SERVER['REQUEST_METHOD'] ) {
			$expired += HOUR_IN_SECONDS;
		}

		// Quick check to see if an honest cookie has expired.
		if ( $expired < time() ) {
			/**
			 * Fires once an authentication cookie has expired.
			 *
			 * @since 2.7.0
			 *
			 * @param string[] $cookie_elements {
			 *     Authentication cookie components. None of the components should be assumed
			 *     to be valid as they come directly from a client-provided cookie value.
			 *
			 *     @type string $username   User's username.
			 *     @type string $expiration The time the cookie expires as a UNIX timestamp.
			 *     @type string $token      User's session token used.
			 *     @type string $hmac       The security hash for the cookie.
			 *     @type string $scheme     The cookie scheme to use.
			 * }
			 */
			do_action( 'auth_cookie_expired', $cookie_elements );
			return false;
		}

		$user = get_user_by( 'login', $username );
		if ( ! $user ) {
			/**
			 * Fires if a bad username is entered in the user authentication process.
			 *
			 * @since 2.7.0
			 *
			 * @param string[] $cookie_elements {
			 *     Authentication cookie components. None of the components should be assumed
			 *     to be valid as they come directly from a client-provided cookie value.
			 *
			 *     @type string $username   User's username.
			 *     @type string $expiration The time the cookie expires as a UNIX timestamp.
			 *     @type string $token      User's session token used.
			 *     @type string $hmac       The security hash for the cookie.
			 *     @type string $scheme     The cookie scheme to use.
			 * }
			 */
			do_action( 'auth_cookie_bad_username', $cookie_elements );
			return false;
		}

		$pass_frag = substr( $user->user_pass, 8, 4 );

		$key = wp_hash( $username . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme );

		// If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
		$algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
		$hash = hash_hmac( $algo, $username . '|' . $expiration . '|' . $token, $key );

		if ( ! hash_equals( $hash, $hmac ) ) {
			/**
			 * Fires if a bad authentication cookie hash is encountered.
			 *
			 * @since 2.7.0
			 *
			 * @param string[] $cookie_elements {
			 *     Authentication cookie components. None of the components should be assumed
			 *     to be valid as they come directly from a client-provided cookie value.
			 *
			 *     @type string $username   User's username.
			 *     @type string $expiration The time the cookie expires as a UNIX timestamp.
			 *     @type string $token      User's session token used.
			 *     @type string $hmac       The security hash for the cookie.
			 *     @type string $scheme     The cookie scheme to use.
			 * }
			 */
			do_action( 'auth_cookie_bad_hash', $cookie_elements );
			return false;
		}

		$manager = WP_Session_Tokens::get_instance( $user->ID );
		if ( ! $manager->verify( $token ) ) {
			/**
			 * Fires if a bad session token is encountered.
			 *
			 * @since 4.0.0
			 *
			 * @param string[] $cookie_elements {
			 *     Authentication cookie components. None of the components should be assumed
			 *     to be valid as they come directly from a client-provided cookie value.
			 *
			 *     @type string $username   User's username.
			 *     @type string $expiration The time the cookie expires as a UNIX timestamp.
			 *     @type string $token      User's session token used.
			 *     @type string $hmac       The security hash for the cookie.
			 *     @type string $scheme     The cookie scheme to use.
			 * }
			 */
			do_action( 'auth_cookie_bad_session_token', $cookie_elements );
			return false;
		}

		// Ajax/POST grace period set above.
		if ( $expiration < time() ) {
			$GLOBALS['login_grace_period'] = 1;
		}

		/**
		 * Fires once an authentication cookie has been validated.
		 *
		 * @since 2.7.0
		 *
		 * @param string[] $cookie_elements {
		 *     Authentication cookie components.
		 *
		 *     @type string $username   User's username.
		 *     @type string $expiration The time the cookie expires as a UNIX timestamp.
		 *     @type string $token      User's session token used.
		 *     @type string $hmac       The security hash for the cookie.
		 *     @type string $scheme     The cookie scheme to use.
		 * }
		 * @param WP_User  $user            User object.
		 */
		do_action( 'auth_cookie_valid', $cookie_elements, $user );

		return $user->ID;
	}
endif;

if ( ! function_exists( 'wp_generate_auth_cookie' ) ) :
	/**
	 * Generates authentication cookie contents.
	 *
	 * @since 2.5.0
	 * @since 4.0.0 The `$token` parameter was added.
	 *
	 * @param int    $user_id    User ID.
	 * @param int    $expiration The time the cookie expires as a UNIX timestamp.
	 * @param string $scheme     Optional. The cookie scheme to use: 'auth', 'secure_auth', or 'logged_in'.
	 *                           Default 'auth'.
	 * @param string $token      User's session token to use for this cookie.
	 * @return string Authentication cookie contents. Empty string if user does not exist.
	 */

常见问题

FAQs
查看更多 >