[wp-hackers] wp-login.php changes in 2.5

benchun ben at benchun.net
Thu Apr 10 18:46:32 GMT 2008

Hi everyone,
I noticed that login is handled a little differently in 2.5.  This caused
Daniel Westermann-Clark's http-authentication (
http://wordpress.org/extend/plugins/http-authentication/ ) plugin to break,
but just slightly.  Background: The purpose of the plugin is to check if the
user is already authenticated by looking for the REMOTE_USER environment
variable, as set by mod_auth or similar.  If yes, then it logs them in to WP
with the same username by setting the cookie.

The current implementation involves hooking wp_authenticate.  It looks like
the order of operations in 2.5 in wp-login.php has changed.  Previously it
called wp_authenticate no matter what, and the plugin could do it's magic.
Now wp-login.php calls wp_signon() in wp-includes/user.php, which returns
before calling wp_authenticate if it wasn't passed any credentials.  So why
not pass it credentials?  Well that sounds great.  How are we intended to do
this cleanly?

wp_signon() is not in pluggable.php and wp_login() is deprecated with a note
to use wp_signin() -- a function that as far as I can tell does not exist at
all.  Clearly someone had an idea for how logins should work, and these
changes were probably a good idea in some context.  Were they implemented
completely?  Can anyone point me at documentation for these changes or give
a suggestion as to how to fix dwc's plugin?

Thanks in advance,

More information about the wp-hackers mailing list