Leave a Reply

5 comments

  1. Here a function to auto-log an user (not tested) :

    function auto_login() {
        if (!is_user_logged_in()) {
            //determine WordPress user account to impersonate
            $user_login = 'guest';
    
           //get user's ID
            $user = get_userdatabylogin($user_login);
            $user_id = $user->ID;
    
            //login
            wp_set_current_user($user_id, $user_login);
            wp_set_auth_cookie($user_id);
            do_action('wp_login', $user_login);
        }
    }
    
  2. You have to pass 2 parameters in wp_login hook. See Wp codex

    wp_set_current_user( $user_id, $user->user_login );
    wp_set_auth_cookie( $user_id );
    do_action( 'wp_login', $user->user_login, $user );
    
  3. Create separate table to store all the links you sent and respective temp authentication code, which may be valid only for some time, then pass that temp auth code and email as a url param –

    Write a code to validate user based on temp auth code, so that as soon as user clicks on email you can redirect him.

  4. The WordPress plugin temporary-login-without-password implements that and a unique hash / key as per your comments.

    Open Source code is here:
    https://plugins.trac.wordpress.org/browser/temporary-login-without-password/trunk/public/class-wp-temporary-login-without-password-public.php

        public function init_wtlwp() {
    
              if ( ! empty( $_GET['wtlwp_token'] ) ) {
    
                        $wtlwp_token = sanitize_key( $_GET['wtlwp_token'] );  // Input var okay.
                        $users       = Wp_Temporary_Login_Without_Password_Common::get_valid_user_based_on_wtlwp_token( $wtlwp_token );
                        $temporary_user = '';
                            if ( ! empty( $users ) ) {
                                $temporary_user = $users[0];
                            }
    
                            if ( ! empty( $temporary_user ) ) {
    
                                $temporary_user_id = $temporary_user->ID;
    
  5. That’s a really bad ideea. Consider this:
    You send an email to user A and B which contains the following link:

    http://wordpressblog.exp/fromemail?user_id=A;
    http://wordpressblog.exp/fromemail?user_id=B;
    

    If user B replaces his user id with A’s user_id then he has access to User A’s account.
    Youd be better of constructing a hash for logging a user that way