Extend auth_cookie_expiration in WordPress: Keep Users Logged In Longer
As a WordPress developer, one common requirement is to keep users logged in for longer periods of time. By default, WordPress sets the auth_cookie_expiration
value to 2 days, meaning users will be logged out after 48 hours of inactivity.
However, in many scenarios, you may want to extend this expiration time to improve user experience and reduce the frequency of re-authentication. Perhaps you have a web application where users need to stay logged in for longer sessions, or you want to provide a "remember me" functionality that keeps users logged in for weeks or even months.
Fortunately, WordPress provides a built-in function to update the auth_cookie_expiration
value, allowing you to extend the login session duration. In this blog post, we'll explore a practical example of how to renew the WordPress auth cookie at every page load, keeping your users logged in for as long as you need.
Understanding the WordPress Authentication Cookie
Before we dive into the code, let's quickly review how WordPress handles user authentication and cookies.
When a user logs in to your WordPress site, WordPress generates an authentication cookie that is stored in the user's browser. This cookie is used to identify the user and keep them logged in on subsequent page visits. The auth_cookie_expiration
option determines how long this cookie remains valid.
By default, the auth_cookie_expiration
value is set to 2 days (172800 seconds). This means that if a user doesn't visit your site for 48 hours, their authentication cookie will expire, and they will need to log in again.
Renewing the WordPress Auth Cookie on Every Page Load
To keep users logged in for longer periods, we can implement a simple function that checks if the current user is logged in and has the desired user role, and then updates the auth_cookie_expiration
value.
Here's the code:
/* Renew cookie at every page load */
function renew_wp_cookie() {
// Return early if it's on the login/logout page
if (in_array($GLOBALS['pagenow'], array('wp-login.php'))) {
return;
}
if (is_user_logged_in() && current_user_can('user_role')) {
$current_logged_user = get_current_user_id();
wp_set_auth_cookie($current_logged_user, true);
}
}
add_action('init', 'renew_wp_cookie');
Let's break down the code:
- The function
renew_wp_cookie()
is hooked to the init
action, which runs on every page load.
- The first
if
statement checks if the current page is the login or logout page (wp-login.php
). If so, the function returns early to avoid interfering with the login/logout process.
- Inside the second
if
statement, we check if the current user is logged in (is_user_logged_in()
) and if they have the desired user role (current_user_can('user_role')
). You can replace 'user_role'
with the specific role you want to target, such as 'administrator'
, 'editor'
, or 'subscriber'
.
- If both conditions are met, we get the current user's ID (
get_current_user_id()
) and use the wp_set_auth_cookie()
function to update the authentication cookie. The second argument (true
) tells WordPress to keep the cookie for the maximum expiration time.
By adding this function to your WordPress site, every time a user visits a page, the authentication cookie will be renewed, effectively extending their login session for as long as you need.
Adjusting the Cookie Expiration Time
While the code above will renew the authentication cookie on every page load, it doesn't actually change the expiration time. To extend the cookie's expiration time, you can use the auth_cookie_expiration
filter, which allows you to modify the auth_cookie_expiration
value.
Here's an example of how you can extend the cookie expiration time to 30 days (2,592,000 seconds):
function extend_auth_cookie_expiration($expiration) {
return 2592000; // 30 days in seconds
}
add_filter('auth_cookie_expiration', 'extend_auth_cookie_expiration');
In this example, the extend_auth_cookie_expiration()
function is hooked to the auth_cookie_expiration
filter, which is called whenever WordPress needs to determine the authentication cookie expiration time. The function simply returns the desired expiration time in seconds (30 days in this case).
By combining the renew_wp_cookie()
function and the extend_auth_cookie_expiration()
filter, you can effectively keep users logged in for as long as you need, improving the overall user experience of your WordPress-powered application.
Real-World Example: Keeping Users Logged In for Extended Sessions
Let's consider a real-world scenario where extending the WordPress auth cookie expiration time can be beneficial.
Imagine you're building a web application for a financial services company, where users need to access sensitive financial data and perform various transactions. In this case, you want to ensure that users remain logged in for longer periods, reducing the frequency of re-authentication and providing a seamless user experience.
Here's how you can implement the cookie renewal and expiration extension in this scenario:
-
Renew the Cookie on Every Page Load: Use the renew_wp_cookie()
function we discussed earlier to check if the user is logged in and has the appropriate user role (e.g., 'financial_advisor'
or 'account_manager'
), then update the authentication cookie.
-
Extend the Cookie Expiration Time: Utilize the extend_auth_cookie_expiration()
function to set the cookie expiration time to a longer duration, such as 30 days or even 6 months, depending on your use case and security requirements.
-
Implement Additional Security Measures: While extending the cookie expiration time can improve user experience, it's important to consider additional security measures to protect your application. You may want to implement features like:
- Periodic re-authentication: Require users to re-authenticate after a certain period of time (e.g., 1 hour) to ensure ongoing authorization.
- Session timeouts: Automatically log out users after a predefined period of inactivity (e.g., 30 minutes) to mitigate the risk of unauthorized access.
- Multi-factor authentication: Implement additional layers of security, such as SMS or email verification, to strengthen the authentication process.
By combining the cookie renewal and expiration extension with these security best practices, you can create a robust and user-friendly authentication system for your financial services web application, keeping your users logged in for extended sessions while maintaining a high level of security.
Conclusion
Extending the WordPress auth cookie expiration time can be a valuable technique to improve user experience and reduce the frequency of re-authentication. By renewing the authentication cookie on every page load and adjusting the expiration time, you can keep your users logged in for longer periods, ultimately enhancing the overall usability of your WordPress-powered application.
Remember to balance the convenience of extended login sessions with appropriate security measures, such as periodic re-authentication and session timeouts, to ensure the safety of your users' sensitive data.
If you're interested in learning more about user behavior analytics and how to optimize your website's performance, be sure to check out Flowpoint.ai. Flowpoint's powerful tools can help you identify technical issues, user experience bottlenecks, and content optimization opportunities to drive increased conversions and user engagement.
Get a Free AI Website Audit
Automatically identify UX and content issues affecting your conversion rates with Flowpoint's comprehensive AI-driven website audit.