Support » Developing with WordPress » wordpress_logged_in cookie and REST API

  • Any thoughts on why the wordpress_logged_in cookie might not be returned when authenticating via basic auth to REST API?

    The bigger picture here is with Woocommerce downloadable products and having “user must be logged in to download” enabled. It seems the wordpress_logged_in cookie is required if this is enabled.

    I didn’t post to Woocommerce, since it just build upon the WP REST API. There are probably other scenarios besides Woocommerce and downloadable products affected by this.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator t-p


    I recommend asking at so the plugin’s developers and support community can help you with this.

    Moderator bcworkz


    Cookie data could have been returned through REST, but it was not done, there was no need seen for most common implementations. Fringe use cases that need such data can create their own endpoints where their custom handler does send cookie data.

    With cookie authentication, the requesting app does not need the logged in cookie. The REST handlers merely check if is_user_logged_in() or if a certain capability is required, checked with current_user_can(). It’s all done server side, so no need to send cookies for authentication purposes.

    For authentication beyond basic cookie, perhaps authenticating data is indeed sent out. It would depend on how the authentication is managed. Such an extension would create its own endpoints to manage this.

    I’m already making custom endpoints to extending that to solve this problem is do-able. After attempting to follow the stack of REST API code, it hasn’t yet surfaced where authentication happens. rest_post_dispatch filter looks like what can be extended to acquire wordpress_logged_in and other cookies.

    I asked this question to confirm my initial assumption about the missing cookies and to get a hint on what to fix.


    Moderator bcworkz


    REST cookie authentication works like any other authentication because that is what it is. One has to log in in order to use cookie authentication. REST really has nothing to do with it. wp_authenticate is used. Authentication can be extended and customized through the “authenticate” filter. As for other REST authentication, it depends on the plugin being used. If this is where your inquiries lead you, I suggest you inquire in the support forum for that specific plugin.

    Basic Authentication is designed to operate separately from Cookie Authentication; if you are authenticating with a cookie you’d be passing a NONCE along with your request, rather than using Basic Auth. I think there have been some situations where people found that an active login cookie prevented other forms of authentication from working, so the two might actually be in conflict. We’re working on a document explaining the overall flow of the REST API request process, including where authentication happens; but in this case I’d also suggest making a post in the woo support forums, since that will likely yield a quicker and more specific response.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘wordpress_logged_in cookie and REST API’ is closed to new replies.