I’m trying to get around the otherwise very insecure way of WordPress handling authentication cookies. I mean, having the cookie expire in 2 weeks only if I build a membership site is obviously not ok, but at the same time, making it expire in 15 minutes while the user is logged in would be more than annoying.
I have searched and tested extensively, and narrowed down the somewhat complicated code forest around this in WordPress to the pluggable.php file under the wp-includes folder and found wp_set_auth_cookie function on line 652 (v 3.5.1). Now this does give me the possibility to change the times, however those are, as mentioned above, fixed to the login time, instead of to the user’s last activity.
I tried to add this function or the wp_signon function using this one to my header, but it didn’t do the trick.
Any plugin or hook or something that you can think of that would help me with this?
Thanks a lot for your help in advance!
EDIT (June 6, 2013):
I tried with following code in the functions.php file of my template, but all it does it that it logs me out when I reload the page, it doesn’t actually renew the auth cookies. The issue may be with the arguments ($userinnow, $remember, $secure) which, by the way, I don’t need/use, except for $userinnow.
/* Renew cookie at every page load */
function renew_wp_cookie() {
global $current_user;
get_currentuserinfo();
$userinnow = $current_user->user_login;
if (is_user_logged_in()) {
wp_set_auth_cookie($userinnow, $remember, $secure);
}
else wp_clear_auth_cookie();
}
add_action('init', 'renew_wp_cookie');
You do not need to rewrite
wp_set_auth_cookie(), it allows you to change the expiration time of the cookie:If you want to clear the current cookie, you can use
wp_clear_auth_cookie()(see source)