wp_set_auth_cookie()WP 2.5.0

Authorizes (Log in) a user by ID. Sets authentication cookies based on the transmitted user ID.

The function should be used before any content is displayed because it works with HTTP headers.

The function result will be visible not immediately, but after page refresh.

The $remember parameter increases the time that the cookie will be kept. The default the cookie is kept without remembering is two days. When $remember is set, the cookies will be kept for 14 days or two weeks.

Pluggable function — this function can be replaced from a plugin. It means that this function is defined (works) only after all plugins are loaded (included), but before this moment this function has not defined. Therefore, you cannot call this and all functions depended on this function directly from a plugin code. They need to be called on plugins_loaded hook or later, for example on init hook.

Function replacement (override) — in must-use or regular plugin you can create a function with the same name, then it will replace this function.

Used By: wp_signon()
Hooks from the function

Return

null. Nothing (null).

Return

null. Nothing (null).

Usage

wp_set_auth_cookie( $user_id, $remember, $secure, $token );
$user_id(int) (required)
User ID.
$remember(true|false)
Whether to remember the user.
Default: false
$secure(true|false|string)
Whether the auth cookie should only be sent over HTTPS.
Default: an empty string which means the value of is_ssl() will be used
$token(string)
User's session token to use for this cookie.
Default: ''

Examples

0

#1 Authorize the user with ID 25.

Function operation example:

$ID = 25;
wp_set_auth_cookie( $ID );
0

#2 Authorization with current data cleaning

It is more correct to authorize the user by clearing all authentication cookies and deleting the caching headers:

nocache_headers();
wp_clear_auth_cookie();
wp_set_auth_cookie($ID);

Changelog

Since 2.5.0 Introduced.
Since 4.3.0 Added the $token parameter.

wp_set_auth_cookie() code WP 6.5.2

wp-includes/pluggable.php 
function wp_set_auth_cookie( $user_id, $remember = false, $secure = '', $token = '' ) {
	if ( $remember ) {
		/**
		 * Filters the duration of the authentication cookie expiration period.
		 *
		 * @since 2.8.0
		 *
		 * @param int  $length   Duration of the expiration period in seconds.
		 * @param int  $user_id  User ID.
		 * @param bool $remember Whether to remember the user login. Default false.
		 */
		$expiration = time() + apply_filters( 'auth_cookie_expiration', 14 * DAY_IN_SECONDS, $user_id, $remember );

		/*
		 * Ensure the browser will continue to send the cookie after the expiration time is reached.
		 * Needed for the login grace period in wp_validate_auth_cookie().
		 */
		$expire = $expiration + ( 12 * HOUR_IN_SECONDS );
	} else {
		/** This filter is documented in wp-includes/pluggable.php */
		$expiration = time() + apply_filters( 'auth_cookie_expiration', 2 * DAY_IN_SECONDS, $user_id, $remember );
		$expire     = 0;
	}

	if ( '' === $secure ) {
		$secure = is_ssl();
	}

	// Front-end cookie is secure when the auth cookie is secure and the site's home URL uses HTTPS.
	$secure_logged_in_cookie = $secure && 'https' === parse_url( get_option( 'home' ), PHP_URL_SCHEME );

	/**
	 * Filters whether the auth cookie should only be sent over HTTPS.
	 *
	 * @since 3.1.0
	 *
	 * @param bool $secure  Whether the cookie should only be sent over HTTPS.
	 * @param int  $user_id User ID.
	 */
	$secure = apply_filters( 'secure_auth_cookie', $secure, $user_id );

	/**
	 * Filters whether the logged in cookie should only be sent over HTTPS.
	 *
	 * @since 3.1.0
	 *
	 * @param bool $secure_logged_in_cookie Whether the logged in cookie should only be sent over HTTPS.
	 * @param int  $user_id                 User ID.
	 * @param bool $secure                  Whether the auth cookie should only be sent over HTTPS.
	 */
	$secure_logged_in_cookie = apply_filters( 'secure_logged_in_cookie', $secure_logged_in_cookie, $user_id, $secure );

	if ( $secure ) {
		$auth_cookie_name = SECURE_AUTH_COOKIE;
		$scheme           = 'secure_auth';
	} else {
		$auth_cookie_name = AUTH_COOKIE;
		$scheme           = 'auth';
	}

	if ( '' === $token ) {
		$manager = WP_Session_Tokens::get_instance( $user_id );
		$token   = $manager->create( $expiration );
	}

	$auth_cookie      = wp_generate_auth_cookie( $user_id, $expiration, $scheme, $token );
	$logged_in_cookie = wp_generate_auth_cookie( $user_id, $expiration, 'logged_in', $token );

	/**
	 * Fires immediately before the authentication cookie is set.
	 *
	 * @since 2.5.0
	 * @since 4.9.0 The `$token` parameter was added.
	 *
	 * @param string $auth_cookie Authentication cookie value.
	 * @param int    $expire      The time the login grace period expires as a UNIX timestamp.
	 *                            Default is 12 hours past the cookie's expiration time.
	 * @param int    $expiration  The time when the authentication cookie expires as a UNIX timestamp.
	 *                            Default is 14 days from now.
	 * @param int    $user_id     User ID.
	 * @param string $scheme      Authentication scheme. Values include 'auth' or 'secure_auth'.
	 * @param string $token       User's session token to use for this cookie.
	 */
	do_action( 'set_auth_cookie', $auth_cookie, $expire, $expiration, $user_id, $scheme, $token );

	/**
	 * Fires immediately before the logged-in authentication cookie is set.
	 *
	 * @since 2.6.0
	 * @since 4.9.0 The `$token` parameter was added.
	 *
	 * @param string $logged_in_cookie The logged-in cookie value.
	 * @param int    $expire           The time the login grace period expires as a UNIX timestamp.
	 *                                 Default is 12 hours past the cookie's expiration time.
	 * @param int    $expiration       The time when the logged-in authentication cookie expires as a UNIX timestamp.
	 *                                 Default is 14 days from now.
	 * @param int    $user_id          User ID.
	 * @param string $scheme           Authentication scheme. Default 'logged_in'.
	 * @param string $token            User's session token to use for this cookie.
	 */
	do_action( 'set_logged_in_cookie', $logged_in_cookie, $expire, $expiration, $user_id, 'logged_in', $token );

	/**
	 * Allows preventing auth cookies from actually being sent to the client.
	 *
	 * @since 4.7.4
	 * @since 6.2.0 The `$expire`, `$expiration`, `$user_id`, `$scheme`, and `$token` parameters were added.
	 *
	 * @param bool   $send       Whether to send auth cookies to the client. Default true.
	 * @param int    $expire     The time the login grace period expires as a UNIX timestamp.
	 *                           Default is 12 hours past the cookie's expiration time. Zero when clearing cookies.
	 * @param int    $expiration The time when the logged-in authentication cookie expires as a UNIX timestamp.
	 *                           Default is 14 days from now. Zero when clearing cookies.
	 * @param int    $user_id    User ID. Zero when clearing cookies.
	 * @param string $scheme     Authentication scheme. Values include 'auth' or 'secure_auth'.
	 *                           Empty string when clearing cookies.
	 * @param string $token      User's session token to use for this cookie. Empty string when clearing cookies.
	 */
	if ( ! apply_filters( 'send_auth_cookies', true, $expire, $expiration, $user_id, $scheme, $token ) ) {
		return;
	}

	setcookie( $auth_cookie_name, $auth_cookie, $expire, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN, $secure, true );
	setcookie( $auth_cookie_name, $auth_cookie, $expire, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, $secure, true );
	setcookie( LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true );
	if ( COOKIEPATH != SITECOOKIEPATH ) {
		setcookie( LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true );
	}
}

authenticate (authentication login)

PHP headers (cookies)

Login/Logout