How to bypass wordpress login screen

Question

Basically i want to auto login the user in wordpress, when he clicks on a link in his email, that bears a parameter of either user id, username or email.

I went researching where the Wordpress stores the session information after login.

In my theme's header.php, when i put:

<?php print_r($_COOKIE); print_r($_SESSION); ?>

and logged in as admin, i got only this one array of $_COOKIE, as wordpress does not use sessions internally.

Array
(
    [wordpress_test_cookie] => WP Cookie check
    [wordpress_logged_in_80d2ab9fd1f16a2a89ddb8a5553b4463] => admin|1391841132|58e4ae330b4ca7aef9d6a8ffa3c3a1fb
)

I also compared the database dumps before and after login, and there is no change. From this, i came to the conclusion that Wordpress stores the session data in the form of cookies.

Now i would like to bypass the login screen of Wordpress, when the user clicks on the link in his email.

I want to know what data is stored inside the above array of cookies. So i can create my own data dynamically and push it in the $_COOKIE array, to auto login the user.

Can anyone throw some light on this? I am not interested in trying any plugins. I want to do it manually for now.

EDIT: I came across this question, that talks about programmatic login of a user, if we just know his username.

Answer 1

Well, i could setup a script in the root of my site, that handles the automatic login of a user, when he clicks on the link in his email. The link has 2 parameters: his username and md5 string of his email.

For example, if the username is 'sam' and his email is 'samuel@example.com', the sample link in his email will be like:

http://www.example.com/user-login.php?username=sam&rand=ddb4b1cd8f56f9946b76399abb9d3106

Then finally the user-login.php script goes like this:

<?php
require_once ('wp-config.php');

if(isset($_GET['username']) && $_GET['username'] != '' && 
isset($_GET['rand']) && $_GET['rand'] != '')
{
    $username = trim($_GET['username']);
    $rand = trim($_GET['rand']);

    global $wpdb;
    $user_details = $wpdb->get_row("SELECT id, user_email FROM wp_users 
    WHERE user_login='".$username."'");

    if(! $user_details->id)
    {
        die("Error: Not a valid user");
    }
    else
    {
        $rand_email = md5($user_details->user_email);
        if($rand_email != $rand)
        {
            die("Error: Invalid URL");
        }
        else {
            $user = get_user_by('login', $username );

            if ( !is_wp_error( $user ) )
            {
                wp_clear_auth_cookie();
                wp_set_current_user ( $user->ID );
                wp_set_auth_cookie  ( $user->ID );
                $redirect_to = get_option('siteurl');
                wp_safe_redirect( $redirect_to );
                exit();
            }
        }
    }
}
else {
    die("Error: Missing params");
}
?>

This way, when the user clicks on the link in his email, he will be automatically logged in and navigates to the home page.

Thanks to Sjoerd Linders for providing me an insight in his answer.

Answer 2

Well besides the fact that this would be a huge security risk, you could do it with java script and send a POST to the url: www.site.com/wp-admin/admin.php with the username and password (make sure to name the variables the same as the name tag on the userlogin table in your wordpress). Then I think you will need to refresh just do a javascript refresh to the dir /wp-admin/ .

Answer 3

That sounds like a really bad idea (tm). On the one hand you're opening up your website to scriptable attacks (guess the cookie and username, you're in), and on the other hand you're encouraging people to just click on a link to login to something (that sounds ... phish-y, and something which any half decent modern mail client would mark as malware).

That's not good security practice.

Before going further down this path, ask yourself: What could go wrong if a badguy snarfs a copy of an email with an automatic login link?

What problem are you really trying to solve?