How to log a user in to WordPress using only their user_id

February 24, 20233 Views

Is there any way I can log a WordPress user in given only their wp user_ID?

I’m sending users emails to confirm something and when they click on the given link to come to the website they need to be logged in to see the page I’m taking them to, so I have to log the user in and then do a header redirect.

I need a php function provided by wordpress, one that I can use in php, could you also give me any extra details as to how I can implement it (if any)

Post Views: 3

5 comments

Here a function to auto-log an user (not tested) :

function auto_login() {
    if (!is_user_logged_in()) {
        //determine WordPress user account to impersonate
        $user_login = 'guest';

       //get user's ID
        $user = get_userdatabylogin($user_login);
        $user_id = $user->ID;

        //login
        wp_set_current_user($user_id, $user_login);
        wp_set_auth_cookie($user_id);
        do_action('wp_login', $user_login);
    }
}

You have to pass 2 parameters in wp_login hook. See Wp codex

wp_set_current_user( $user_id, $user->user_login );
wp_set_auth_cookie( $user_id );
do_action( 'wp_login', $user->user_login, $user );

Anonymous says:

February 24, 2023 at 6:21 am

Create separate table to store all the links you sent and respective temp authentication code, which may be valid only for some time, then pass that temp auth code and email as a url param –

Write a code to validate user based on temp auth code, so that as soon as user clicks on email you can redirect him.

Log in to Reply

The WordPress plugin temporary-login-without-password implements that and a unique hash / key as per your comments.

Open Source code is here:
https://plugins.trac.wordpress.org/browser/temporary-login-without-password/trunk/public/class-wp-temporary-login-without-password-public.php

    public function init_wtlwp() {

          if ( ! empty( $_GET['wtlwp_token'] ) ) {

                    $wtlwp_token = sanitize_key( $_GET['wtlwp_token'] );  // Input var okay.
                    $users       = Wp_Temporary_Login_Without_Password_Common::get_valid_user_based_on_wtlwp_token( $wtlwp_token );
                    $temporary_user = '';
                        if ( ! empty( $users ) ) {
                            $temporary_user = $users[0];
                        }

                        if ( ! empty( $temporary_user ) ) {

                            $temporary_user_id = $temporary_user->ID;

Anonymous says:

February 24, 2023 at 6:21 am
That’s a really bad ideea. Consider this:
You send an email to user A and B which contains the following link:
```
http://wordpressblog.exp/fromemail?user_id=A;
http://wordpressblog.exp/fromemail?user_id=B;
```
If user B replaces his user id with A’s user_id then he has access to User A’s account.
Youd be better of constructing a hash for logging a user that way
Log in to Reply

Leave a Reply Cancel reply

5 comments

Social Network

Related posts

Leave a Reply Cancel reply

5 comments

Social Network