How to check if you're logged in to WordPress from Go : AntonioCortes.com

As a proof of concept, I’m making a small API in Golang that, on an Apache with mod_proxy, serves certain content to a WordPress site.

The small challenge, which is really small, is knowing from that mini application in Go, and through the wordpress_logged_in_XXXXXX cookie who the user is (if they’re logged in).

To see how WP composes the cookie, you only need to look at the source code, and this is how it could be solved in Go

GitHub Gist

Ver en GitHub →

	package main

	import (
	"crypto/hmac"
	"crypto/md5"
	"crypto/sha256"
	"encoding/hex"
	"fmt"
	"strings"
	)

	type cookieWP struct {
	User string
	Scheme string
	Expiration string
	Token string
	Hmac string
	}

	func main() {

	// cookieName -> wordpress_logged_in + md5( domain )
	// cookieName := `wordpress_logged_in_d33f7171d85009b773bd2aab4967e7f8`
	// wp-config.php define('LOGGED_IN_KEY', [...]);
	loggedKey := "TLA$Zt1tTX5&{V,`sa8^I&p%dA^CJ~,0t?]*dG}V8gW=5lGc1l{0hO3=.vJ+qbi-"
	// wp-config.php define('LOGGED_IN_SALT', [...]);
	loggedSalt := "=B^Bd+prt?@UVG=NClBUbq;}iY{d\|5m 7Y4R3sws-+5ddEJHW,3J`{=.]OUGY1Hb"

	// the content of cookie
	cookieValue := `admin%7C1427358559%7Cg3JkuKWnFFTsynJkHRb7zplvCKQJH8rvmqPdOXDnctB%7Cc3510f74afcd0fd0ddb8e5096dd59d00f6843e5df645081723afa091286cef6a`
	elements := strings.Split(cookieValue, `%7C`)

	cookie := &cookieWP{
	Scheme: "logged_in",
	User: elements[0],
	Expiration: elements[1],
	Token: elements[2],
	Hmac: elements[3],
	}
	// passFragment is the substring (8, 4 ) of db wp_users, field user_pass
	// where user_login = cookie.User
	// substring 8:4
	passFragment := `a938`

	fromKey := cookie.User + `\|` + passFragment + `\|` + cookie.Expiration + `\|` + cookie.Token
	hasher := hmac.New(md5.New, []byte(loggedKey+loggedSalt))
	hasher.Write([]byte(fromKey))
	hashed := hex.EncodeToString(hasher.Sum(nil))
	hashercheck := hmac.New(sha256.New, []byte(hashed))

	hashercheck.Write([]byte(cookie.User + `\|` + cookie.Expiration + `\|` + cookie.Token))

	hashedcheck := hex.EncodeToString(hashercheck.Sum(nil))
	fmt.Println("hashed ", cookie.Hmac, " -> ", hashedcheck)

	if cookie.Hmac == hashedcheck {
	fmt.Println("hello ", cookie.User)
	} else {
	fmt.Println("bad cookie for ", cookie.User)
	}
	}

view raw checkCookieWordpress.go hosted with ❤ by GitHub

JavaScript requerido

Para ver este Gist, necesitas tener JavaScript habilitado. Ver directamente en GitHub

Notes:

I don’t check the Expiration value in this example
This code won’t work for me in the project since I’ll change, through a hook in WP, how the cookie is created and validated by adding 2 more elements to the hash method (to give a bit of extra security): The validated user’s IP and the Browser used (Agent), since I consider WP’s default format too “weak”.

	var c = { } ;
	var x = graph.V("edu").In('in_sector').In('in_industry').Out('has_skill').Tag("id").ForEach(
	function ( d ) {
	if ( c[d.id] ) {
	c[d.id] ++;
	} else {
	c[d.id] = 1 ;
	}
	d.count = c[d.id] ;

	}
	) ;
	g.Emit( c ) ;

Latest Posts

Claude Code with LSP: from searching text to understanding code

Ghost Jobs: the economy built on positions that don't exist

DuckDB and httpfs behind a proxy: the secret nobody tells you

How PostgreSQL Estimates Your Queries (And Why It Sometimes Gets It Wrong)

Analyzing Container Filesystem Isolation for Multi-Tenant Workloads

The Software Development Renaissance with AI Agents

How to check if you're logged in to WordPress from Go

Comments

Latest Posts

Resources March 11, 2022

Options Pattern in Golang

How to create a simple event streaming in Laravel?

One day I'll discover what the comfort zone is, or not

A Gremlin query for Cayley