rest_cookie_check_errors( WP_Error|mixed $result )
Checks for errors when using cookie-based authentication.
Description
WordPress’ built-in cookie authentication is always active for logged in users. However, the API has to check nonces for each request to ensure users are not vulnerable to CSRF.
Parameters
- $result
-
(WP_Error|mixed) (Required) Error from another authentication handler, null if we should handle it, or another value if not.
Return
(WP_Error|mixed|bool) WP_Error if the cookie is invalid, the $result, otherwise true.
Source
File: wp-includes/rest-api.php
function rest_cookie_check_errors( $result ) { if ( ! empty( $result ) ) { return $result; } global $wp_rest_auth_cookie; /* * Is cookie authentication being used? (If we get an auth * error, but we're still logged in, another authentication * must have been used). */ if ( true !== $wp_rest_auth_cookie && is_user_logged_in() ) { return $result; } // Determine if there is a nonce. $nonce = null; if ( isset( $_REQUEST['_wpnonce'] ) ) { $nonce = $_REQUEST['_wpnonce']; } elseif ( isset( $_SERVER['HTTP_X_WP_NONCE'] ) ) { $nonce = $_SERVER['HTTP_X_WP_NONCE']; } if ( null === $nonce ) { // No nonce at all, so act as if it's an unauthenticated request. wp_set_current_user( 0 ); return true; } // Check the nonce. $result = wp_verify_nonce( $nonce, 'wp_rest' ); if ( ! $result ) { return new WP_Error( 'rest_cookie_invalid_nonce', __( 'Cookie check failed' ), array( 'status' => 403 ) ); } // Send a refreshed nonce in header. rest_get_server()->send_header( 'X-WP-Nonce', wp_create_nonce( 'wp_rest' ) ); return true; }
Changelog
Version | Description |
---|---|
4.4.0 | Introduced. |
© 2003–2021 WordPress Foundation
Licensed under the GNU GPLv2+ License.
https://developer.wordpress.org/reference/functions/rest_cookie_check_errors