wp_signon()WP 2.5.0

Authorizes the user by the specified login/email, password, and remember parameter.

The function requires an array to be passed with the keys: user_login, user_password, remember. If the array is not specified, the function attempts to retrieve this data from the global variable $_POST.

The lifetime of the authorization cookies is set based on the 'remember' parameter.

The function does not set the current user. This means that if the function is called before the init event, the check is_user_logged_in() will return false. If this check is needed in advance, you need to set the current user manually using wp_set_current_user().

Replaces the deprecated function: wp_login().

The function should be used before any content (text, HTML) is output to the page because the function sets cookies, which cannot be set after content output...

If you need to log out the user, use wp_logout().

Uses: wp_authenticate(), wp_set_auth_cookie()
Hooks from the function

Returns

WP_User|WP_Error.

  • WP_User object (user data) on successful authorization.
  • WP_Error object on error.

Usage

wp_signon( $credentials, $secure_cookie );
$credentials(array)

User data to be authorized.

If not specified, attempts to get from the global variable $_POST

array(
	'user_login'    => $_POST['log'],
	'user_password' => $_POST['pwd'],
	'remember'      => $_POST['rememberme'],
)

Default: array() (from $_POST)

$secure_cookie(boolean)

Whether to use secure cookies.

What cookie name to use? Taken from constants:

  • When true - SECURE_AUTH_COOKIE
  • When false - AUTH_COOKIE.

Default: false - is_ssl()

Examples

Example of authorization based on data passed in $_POST.

$user = wp_signon();

// authorization failed
if ( is_wp_error($user) ) {
	echo $user->get_error_message();
}
1

#1 An example of the authorization of the user Leonid: 

$creds = [];
$creds['user_login'] = 'Leonid';
$creds['user_password'] = 'password';
$creds['remember'] = true;

$user = wp_signon( $creds, false );

if ( is_wp_error( $user ) ) {
   echo $user->get_error_message();
}

NOTE: This code must be run before the headers and cookies are sent.

0

#2 Example of authorization, through the $_POST data.

To do this pass to $_POST the following data and the function make authorization itself: "log", "pwd" and "rememberme":

// Suppose we already have the following variables defined: 
// $_POST['log'], $_POST['pwd'], $_POST['rememberme']

// then the authorization will go as follows 

$user = wp_signon();

if ( is_wp_error( $user ) ) {
   echo $user->get_error_message();
}
0

#3 WP Sign on for SSL sites

WP Sign on for SSL sites that need a secure cookie, I use (where $creds i)

// $creds - s the array of login credentials

$autologin_user = wp_signon( $creds, is_ssl() );

If you’re not explicitly setting the usage of secure cookies, not passing a second argument will default to setting based on the is_ssl() method.

Notes

  • Global. String. $auth_secure_cookie
  • Global. wpdb. $wpdb WordPress database abstraction object.

Changelog

Since 2.5.0 Introduced.

wp_signon() code WP 6.9.1

wp-includes/user.php 
function wp_signon( $credentials = array(), $secure_cookie = '' ) {
	global $auth_secure_cookie, $wpdb;

	if ( empty( $credentials ) ) {
		$credentials = array(
			'user_login'    => '',
			'user_password' => '',
			'remember'      => false,
		);

		if ( ! empty( $_POST['log'] ) && is_string( $_POST['log'] ) ) {
			$credentials['user_login'] = wp_unslash( $_POST['log'] );
		}
		if ( ! empty( $_POST['pwd'] ) && is_string( $_POST['pwd'] ) ) {
			$credentials['user_password'] = $_POST['pwd'];
		}
		if ( ! empty( $_POST['rememberme'] ) ) {
			$credentials['remember'] = $_POST['rememberme'];
		}
	}

	if ( ! empty( $credentials['remember'] ) ) {
		$credentials['remember'] = true;
	} else {
		$credentials['remember'] = false;
	}

	/**
	 * Fires before the user is authenticated.
	 *
	 * The variables passed to the callbacks are passed by reference,
	 * and can be modified by callback functions.
	 *
	 * @since 1.5.1
	 *
	 * @todo Decide whether to deprecate the wp_authenticate action.
	 *
	 * @param string $user_login    Username (passed by reference).
	 * @param string $user_password User password (passed by reference).
	 */
	do_action_ref_array( 'wp_authenticate', array( &$credentials['user_login'], &$credentials['user_password'] ) );

	if ( '' === $secure_cookie ) {
		$secure_cookie = is_ssl();
	}

	/**
	 * Filters whether to use a secure sign-on cookie.
	 *
	 * @since 3.1.0
	 *
	 * @param bool  $secure_cookie Whether to use a secure sign-on cookie.
	 * @param array $credentials {
	 *     Array of entered sign-on data.
	 *
	 *     @type string $user_login    Username.
	 *     @type string $user_password Password entered.
	 *     @type bool   $remember      Whether to 'remember' the user. Increases the time
	 *                                 that the cookie will be kept. Default false.
	 * }
	 */
	$secure_cookie = apply_filters( 'secure_signon_cookie', $secure_cookie, $credentials );

	// XXX ugly hack to pass this to wp_authenticate_cookie().
	$auth_secure_cookie = $secure_cookie;

	add_filter( 'authenticate', 'wp_authenticate_cookie', 30, 3 );

	$user = wp_authenticate( $credentials['user_login'], $credentials['user_password'] );

	if ( is_wp_error( $user ) ) {
		return $user;
	}

	wp_set_auth_cookie( $user->ID, $credentials['remember'], $secure_cookie );

	// Clear `user_activation_key` after a successful login.
	if ( ! empty( $user->user_activation_key ) ) {
		$wpdb->update(
			$wpdb->users,
			array(
				'user_activation_key' => '',
			),
			array( 'ID' => $user->ID )
		);

		$user->user_activation_key = '';
	}

	/**
	 * Fires after the user has successfully logged in.
	 *
	 * @since 1.5.0
	 *
	 * @param string  $user_login Username.
	 * @param WP_User $user       WP_User object of the logged-in user.
	 */
	do_action( 'wp_login', $user->user_login, $user );

	return $user;
}

authenticate (authentication login)

Login/Logout