0% Complete
0/0 Steps

WordPress cookies

In Progress
Unit Progress
0% Complete

WordPress > 2.4

When you log into WordPress from http://example.com/wp-login.php, WordPress stores the following two cookies:

  • Your user name
  • A double-hashed copy of your password

The cookies are set to expire two weeks from the time they are set. (Details of how to change this time).

WordPress > 3.0

On login, wordpress uses the wordpress_[hash] cookie to store your authentication details. Its use is limited to the admin console area, /wp-admin/

After login, wordpress sets the wordpress_logged_in_[hash] cookie, which indicates when you’re logged in, and who you are, for most interface use.

WordPress also sets a few wp-settings-{time}-[UID] cookies. The number on the end is your individual user ID from the users database table. This is used to customize your view of admin interface, and possibly also the main site interface.

The cookies length can be adjusted with the ‘auth_cookie_expiration’ hook (An example can be found at what’s the easiest way to stop wp from ever logging me out).

Non-Version-Specific Data

The actual cookies contain hashed data, so you don’t have to worry about someone gleaning your username and password by reading the cookie data. A hash is the result of a specific mathematical formula applied to some input data (in this case your user name and password, respectively). It’s quite hard to reverse a hash (bordering on practical infeasibility with today’s computers). This means it is very difficult to take a hash and “unhash” it to find the original input data.

WordPress uses the two cookies to bypass the password entry portion of wp-login.php. If WordPress recognizes that you have valid, non-expired cookies, you go directly to the WordPress Administration interface. If you don’t have the cookies, or they’re expired, or in some other way invalid (like you edited them manually for some reason), WordPress will require you to log in again, in order to obtain new cookies.

The functions to set and remove cookies are currently defined in /wp-includes/pluggable.php.

wp_set_auth_cookie( $user_id, $remember, $secure )
This function sets the cookie.
wp_clear_auth_cookie()
This function will delete the cookie from the client browser. This happens when the user clicks on the Logout link in the Administration interface.
auth_redirect()
This function also utilizes the cookies. Checks whether the cookie is present on the client browser. If it is not, the user is sent to the wp-login.php login screen. After logging in, the user is sent back to the page he or she attempted to access.