5 thoughts on “Programmatically Sign-on a WordPress User

  1. Found this the other day and implemented it on a site. It seemed to worked great, but there is one weird behavior I’m seeing. If, after I’ve logged the user in programmatically per your code above, and then open a new tab and go directly to http://www.websitename.com/wp-admin (which then redirects to wp-login.php…) it doesn’t recognize the programmatic login and shows me the login form instead. Additionally, navigating to the wp-login page directly also clears out the authentication of my “logged in” tabs.

    Any idea why this is happening? I like the fact that you’ve used the new wp_signon function to accomplish the programmatic login, but something still isn’t working correctly or this wouldn’t be happening. Can you verify this behavior?

    Thanks.

    Dan

  2. I am having a similar problem as ProgrammerDan,

    I placed this code in my functions.php.

    The user can login to the page I call the function on , but they can’t access wp-admin, and don’t register as signed in on any other pages.

    Any thoughts on why?

  3. Hm… Am I understanding this properly?

    Even though this function has a var for the $password:

    function allow_programmatic_login( $user, $username, $password )

    You’re filtering it:

    add_filter( ‘authenticate’, ‘allow_programmatic_login’, 10, 3

    Then right after you’ve removed it.

    So the notes says

    To avoid potential security vulnerabilities, this should only be used in the context of a programmatic login, and unhooked immediately after it fires.

    But your code does unhook it? Or is another unhooking necessary?

    Second question/ point of clarification – this script can’t yet add a user if that user doesn’t exist.

    That could be added in, instead of the return; false – any tips on how to add the user, then re-run the function so the added user gets logged in?

    This is for a single sign on project – the sign on already exists, I’m guessing I just get back a TRUE or FALSE if the user is authenticated – so I’m looking to fire this script on TRUE – but there will be many cases where the user has credentials in the single sign on – but won’t yet exist in the WordPress they are getting programmatically logged into.

    Thanks for posting!

Leave a Reply

Your email address will not be published. Required fields are marked *