do_action( 'auth_cookie_bad_username',
$cookie_elements );
return false;
} $pass_frag =
substr( $user->user_pass, 8, 4
);
$key =
wp_hash( $username . '|' .
$pass_frag . '|' .
$expiration . '|' .
$token,
$scheme );
// If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
$algo =
function_exists( 'hash'
) ? 'sha256' : 'sha1';
$hash =
hash_hmac( $algo,
$username . '|' .
$expiration . '|' .
$token,
$key );
if ( !
hash_equals( $hash,
$hmac ) ) { /**
* Fires if a bad authentication cookie hash is encountered.
*
* @since 2.7.0
*
* @param string[] $cookie_elements {
* Authentication cookie components. None of the components should be assumed
* to be valid as they come directly from a client-provided cookie value.
*
* @type string $username User's username.
* @type string $expiration The time the cookie expires as a UNIX timestamp.
* @type string $token User's session token used.
* @type string $hmac The security hash for the cookie.
* @type string $scheme The cookie scheme to use.
* }
*/