function wp_validate_auth_cookie( $cookie = '', $scheme = '' ) {
$cookie_elements = wp_parse_auth_cookie( $cookie, $scheme );
if ( ! $cookie_elements ) {
/**
* Fires if an authentication cookie is malformed.
*
* @since 2.7.0
*
* @param string $cookie Malformed auth cookie.
* @param string $scheme Authentication scheme. Values include 'auth', 'secure_auth',
* or 'logged_in'.
*/
do_action( 'auth_cookie_malformed', $cookie, $scheme );
return false;
}
$scheme = $cookie_elements['scheme'];
$username = $cookie_elements['username'];
$hmac = $cookie_elements['hmac'];
$token = $cookie_elements['token'];
$expired = $cookie_elements['expiration'];
$expiration = $cookie_elements['expiration'];
// Allow a grace period for POST and Ajax requests.
if ( wp_doing_ajax() || 'POST' === $_SERVER['REQUEST_METHOD'] ) {
$expired += HOUR_IN_SECONDS;
}
// Quick check to see if an honest cookie has expired.
if ( $expired < time() ) {
/**
* Fires once an authentication cookie has expired.
*
* @since 2.7.0
*
* @param string[] $cookie_elements {
* Authentication cookie components. None of the components should be assumed
* to be valid as they come directly from a client-provided cookie value.
*
* @type string $username User's username.
* @type string $expiration The time the cookie expires as a UNIX timestamp.
* @type string $token User's session token used.
* @type string $hmac The security hash for the cookie.
* @type string $scheme The cookie scheme to use.
* }
*/
do_action( 'auth_cookie_expired', $cookie_elements );
return false;
}
$user = get_user_by( 'login', $username );
if ( ! $user ) {
/**
* Fires if a bad username is entered in the user authentication process.
*
* @since 2.7.0
*
* @param string[] $cookie_elements {
* Authentication cookie components. None of the components should be assumed
* to be valid as they come directly from a client-provided cookie value.
*
* @type string $username User's username.
* @type string $expiration The time the cookie expires as a UNIX timestamp.
* @type string $token User's session token used.
* @type string $hmac The security hash for the cookie.
* @type string $scheme The cookie scheme to use.
* }
*/
do_action( 'auth_cookie_bad_username', $cookie_elements );
return false;
}
$pass_frag = substr( $user->user_pass, 8, 4 );
$key = wp_hash( $username . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme );
// If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
$algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
$hash = hash_hmac( $algo, $username . '|' . $expiration . '|' . $token, $key );
if ( ! hash_equals( $hash, $hmac ) ) {
/**
* Fires if a bad authentication cookie hash is encountered.
*
* @since 2.7.0
*
* @param string[] $cookie_elements {
* Authentication cookie components. None of the components should be assumed
* to be valid as they come directly from a client-provided cookie value.
*
* @type string $username User's username.
* @type string $expiration The time the cookie expires as a UNIX timestamp.
* @type string $token User's session token used.
* @type string $hmac The security hash for the cookie.
* @type string $scheme The cookie scheme to use.
* }
*/
do_action( 'auth_cookie_bad_hash', $cookie_elements );
return false;
}
$manager = WP_Session_Tokens::get_instance( $user->ID );
if ( ! $manager->verify( $token ) ) {
/**
* Fires if a bad session token is encountered.
*
* @since 4.0.0
*
* @param string[] $cookie_elements {
* Authentication cookie components. None of the components should be assumed
* to be valid as they come directly from a client-provided cookie value.
*
* @type string $username User's username.
* @type string $expiration The time the cookie expires as a UNIX timestamp.
* @type string $token User's session token used.
* @type string $hmac The security hash for the cookie.
* @type string $scheme The cookie scheme to use.
* }
*/
do_action( 'auth_cookie_bad_session_token', $cookie_elements );
return false;
}
// Ajax/POST grace period set above.
if ( $expiration < time() ) {
$GLOBALS['login_grace_period'] = 1;
}
/**
* Fires once an authentication cookie has been validated.
*
* @since 2.7.0
*
* @param string[] $cookie_elements {
* Authentication cookie components.
*
* @type string $username User's username.
* @type string $expiration The time the cookie expires as a UNIX timestamp.
* @type string $token User's session token used.
* @type string $hmac The security hash for the cookie.
* @type string $scheme The cookie scheme to use.
* }
* @param WP_User $user User object.
*/
do_action( 'auth_cookie_valid', $cookie_elements, $user );
return $user->ID;
}这个PHP函数 wp_validate_auth_cookie() 是WordPress的身份验证系统的一部分。它用于验证用户登录时每个请求发送的身份验证cookie。该函数有两个可选参数:$cookie 和 $scheme。
函数首先使用 wp_parse_auth_cookie() 函数解析身份验证cookie。如果cookie格式错误或不存在,函数会触发 auth_cookie_malformed 动作并返回 false。
接下来,它从解析的cookie中提取各种元素,包括方案、用户名、HMAC(用于数据完整性的一种加密哈希)、令牌和过期时间。
然后,函数检查请求是否为AJAX或POST请求。如果是,它会将cookie的过期时间延长一小时。这是一个宽限期,用于允许长时间运行的操作。
接着,函数检查cookie是否已过期。如果已过期,它会触发 auth_cookie_expired 动作并返回 false。
接下来,它检索与cookie中的用户名关联的用户。如果不存在这样的用户,它会触发 auth_cookie_bad_username 动作并返回 false。
然后,函数通过哈希cookie和用户密码的各种元素来生成一个密钥。它使用这个密钥来生成用户名、过期时间和令牌的哈希。如果生成的哈希与cookie中的HMAC不匹配,它会触发 auth_cookie_bad_hash 动作并返回 false。
接下来,它使用 WP_Session_Tokens::get_instance() 方法验证会话令牌。如果令牌无效,它会触发 auth_cookie_bad_session_token 动作并返回 false。
如果此时cookie的过期时间已过(只有在请求是AJAX或POST请求并且已应用宽限期的情况下才可能发生),它会将全局 login_grace_period 变量设置为 1。
最后,如果所有检查都通过,函数会触发 auth_cookie_valid 动作并返回用户的ID,表示身份验证cookie有效。