Any auth mechanism requiring the user to navigate away from WordPress (eg - OpenID, Facebook Connect, Google Profile, etc) causes POST variables to be lost. Therefore, when wp_signon is called, POST is empty and rememberme is non-existent.
I've checked both Janrain Engage and the OpenID provider. Neither implement rememberme and, as a result, only remember a login for the length of the session. I've submitted a patch for the OpenID provider that implements this, but it's very cludgy.
With that said, it seems that it would be better to have one of the following options:
- change wp_set_auth_cookie to a filter
- have wp_signon check alternate locations
- call wp_signon with pre-hashed passwords contained in the credentials array
Here's further detail:
The quickest method, it seems, is to do exactly what I did - tack the value of rememberme onto a return URL (or store it in a SESSION variable). This necessitates overriding wp_set_auth_cookie. The only line from my patch that is different from wp_set_auth_cookie as found in pluggable.php is line 861.
This is why I say a filter would be better. This way I can still override wp_set_auth_cookie with my function, determine if rememberme is set, and then call wp_set_auth_cookie as found in pluggable.php.
This might be a terrible idea for security. I haven't thought it through from a security standpoint. But, it still allows for a simpler solution that overriding wp_set_auth_cookie in order to change a single line.
Since OpenID, Facebook Connect, et al, don't require the user to enter a password on our WordPress site, we never have the password in plaintext. This is problematic because wp_signon currently expects a plaintext password.
What I could have done was to send the user's pre-hashed password and then hook the wp_authenticate filter before wp_check_usernamepassword to see if the password was pre-hashed and return the user if the hashes matched. If the password wasn't hashed, I would call wp_check_usernamepassword and return that value.
This is fine, but there are 2 problems with this method:
- it seems like a lot of overhead to hook wp_authenticate just to get the value of rememberme
- bug #15473 blocks this
So, my question is, what would people think of any of these options? Is there a better way to accomplish this?