[wp-trac] [WordPress Trac] #63230: Correct expiration time documentation for `wp_set_auth_cookie()`

WordPress Trac noreply at wordpress.org
Sat Apr 5 11:04:32 UTC 2025 

#63230: Correct expiration time documentation for `wp_set_auth_cookie()`
------------------------------------+---------------------
 Reporter:  peterwilsoncc           |       Owner:  (none)
     Type:  enhancement             |      Status:  new
 Priority:  normal                  |   Milestone:  6.9
Component:  Login and Registration  |     Version:
 Severity:  normal                  |  Resolution:
 Keywords:  needs-docs              |     Focuses:  docs
------------------------------------+---------------------
Changes (by zodiac1978):

 * keywords:  has-patch needs-docs => needs-docs
 * type:  defect (bug) => enhancement


Comment:

 Replying to [comment:8 johnbillion]:
 > There's two "expiration" values for this cookie. The `$expiration`
 variable is how long the value of the hash in the cookie remains valid
 (which is either 14 or 2 days depending on `$remember`). The `$expire`
 variable is how long the cookie remains valid in the browser, which is 14
 days when `$remember` is set or 0 if not, meaning it's a session cookie in
 the latter case.
 >
 > https://github.com/WordPress/wordpress-
 develop/blob/07bf0f91117629fb382ad09b6de1d138baea15e0/src/wp-
 includes/pluggable.php#L997-L1007

 Thanks for the explanation @johnbillion!

 So, this is not wrong at all, but only badly documented, if I'm correct.

 The grace period of 12 hours is added for the cookie, but the hash is
 invalid and therefore the login expires correctly after 14 days if
 "remember me" is checked. If it is not checked this is a session cookie,
 but the 48 hours still apply because the hash is invalidated. Correct?
 Even with a session restore from a browser this cookie will still be
 invalid after 48 hours, because the hash does expire. Correct?

 My use case was to use auth_cookie_expiration to log out every subscriber
 on midnight. This would still apply even when the cookie is 12 hours
 longer available or a session cookie, because the hash in the DB
 invalidates. Correct?

 This would mean we could ignore the patch and just add some more
 explanation to the docs. The doc page from auth_cookie_expiration and the
 mentioned Cookies page from the advanced administration handbook for
 example.

 Agreed?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/63230#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list