[wp-hackers] Exemplary code for web single sign-on plugin

Otto otto at ottodestruct.com
Wed Jul 31 14:29:06 UTC 2013


On Tue, Jul 30, 2013 at 7:58 PM, Ryan McCue <lists at rotorised.com> wrote:
> Otto wrote:
>> You don't need to handle the cookie parts yourself. Using the
>> "authenticate" filter correctly will do it for you.
>
> From my own experience, simply filtering authenticate is *not* enough.
> The cookie check will happen before authenticate gets called in some
> cases, and cause the user to be logged out.
>
> I had to work around this:
> https://github.com/rmccue/WordPressOAuthProvider/commit/4b779059fd352c9086aef31b6b3c817ea3229388
>
> It may be the case that I was doing this incorrectly, but a simple
> filter on authenticate wasn't enough for me.

Think you must have been doing it wrong somehow. The cookie check
happens in wp_authenticate_cookie(), which is actually hooked to the
authenticate filter at priority 30.

Cookies can be cleared if something causes reauth to get set, but
that's separate, really.

Also, your workaround is incomplete. You're not setting up the
userdata globals quite properly. You might consider calling
wp_set_current_user() instead of just setting the global
$current_user.

-Otto


More information about the wp-hackers mailing list