Kill previous session if the same user logged in again wordpress - wordpress

Is there an option to destroy all other user session after a user logs in. I found an option for destroying sessions as
// get all sessions for user with ID $user_id
$sessions = WP_Session_Tokens::get_instance( $user->ID );
// we have got the sessions, destroy them all!
$sessions->destroy_all();
It can use on authenticating a user, but I am using a social login plugin for authenticating users, so need to hack the plugin for achieving the same. Can you help me figure out an option to destroy all previous sessions on or after "wp_login" action.

Resolved it!!.
destroy_all() will destroy all the sessions so when we are use this in wp_login hook it will destroy the current session too, instead we can use destroy_others() function.
The final code shown below
function your_function( $user,$user_id) {
$sessions = WP_Session_Tokens::get_instance( get_current_user_id() );
$token = wp_get_session_token();
$sessions->destroy_others( $token );
}
add_action('wp_login', 'your_function',10,2);

You could try to hook into the wp_login action. Could be done in the plugin or in your functions.php
<?php
function your_function() {
// your code
}
add_action('wp_login', 'your_function');
?>
https://codex.wordpress.org/Plugin_API/Action_Reference/wp_login

Related

Disable auto login upon registration in Wordpress

[update1] I am using the ClassiCraft theme and I have no idea where to customize the login and register forms
[update2] I know that the registration process does not go through wp_authenticate because I redefined it inside a plugin of mine
I am quite new in the Wordpress world (actually just got my hands on it for the first time yesterday) and I am having some difficulties finishing up a little project I am working on.
The project is rather simple (or so I thought) and consists in adding a confirmation link to email received upon registration in order to validate the email address provided to prevent using fake emails that the registrar does not even own.
I am about all done except that once I hit the register button it leads to log in the freshly created user.
I googled stuff like "wp disable auto login on registration" and whatnot but I have not been able to find anything that worked. I even tested a few plugins supposed to be doing exactly what I need but none of them worked.
Also, I am not using any plugins for the registration/login forms and it appears that the code in the wp-login.php file is actually not even used...
Would anyone have an idea? Thanks
Okay, so without an access to the theme, i can't really answer you.
But i can tell you what I would try.
1. Add action on user_register hook, to add a post meta that will be useful to check if user has confirm his email.
add_action( 'user_register', 'add_has_confirm_email_user_meta');
function add_has_confirm_email_user_meta( $user_id ) {
update_user_meta( $user_id, 'has_confirm_email', 0 );
}
2. Prevent the user from log in automatically after registration.
Here i can't tell you the hook that will works for you. For example, the hook for the wordpress registration is user_register, but if you have woocommerce, the hook I will use, would be woocommerce_registration_redirect. So try to find what hook is available after the registration with your theme.
In all case, the code in the function would be something like :
function custom_registration_redirect() {
// Log out the user
wp_logout();
// The login url could be an other, with woocommerce for example it is : get_permalink(get_option('woocommerce_myaccount_page_id')
$login_url = wp_login_url();
// Redirect on it
wp_redirect( $login_url);
exit;
}
It will also be necessary, to add a message on this page to alert the user, that he will receive an email to confirm his account.
3. Prevent user from login when he submit the log in form
Add action on wp_login hook to achieve that.
add_action('wp_login', 'prevent_user_from_login', 10, 2);
function prevent_user_from_login($user_login, $user = null ) {
if ( !$user ) {
$user = get_user_by('login', $user_login);
}
if ( !$user ) {
// not logged in
return;
}
// Get user meta
$has_confirm_email = get_user_meta( $user->ID, 'has_confirm_email', true );
if ( $has_confirm_email == '0' ) {
// Clear cookies, a.k.a log user out
wp_clear_auth_cookie();
$login_url = wp_login_url();
$login_url = add_query_arg( 'has_confirm_email', '0', $login_url);
wp_redirect( $login_url );
exit;
}
}
4. Add message on log in page if we get the has_confirm_email to 0
add_filter('login_message', 'has_not_confirm_email_login_message');
function has_not_confirm_email_login_message($message) {
if ( isset( $_GET['has_confirm_email'] ) && $_GET['has_confirm_email'] == 0 ) {
$message = '<div id="login_error">You have not confirmed your email.</div>';
}
return $message;
}
5. Send the email with a link to confirm his email.
You will need to generate a token to add to the url.
For the hook to change the default email sent by Wordpress, you can use wp_new_user_notification_email that is available since the 4.9 of Wordpress.
In the function itself you could do something like :
function wp_new_user_notification_email( $wp_new_user_notification_email, $user, $blogname) {
// Generate the token (there is other function available with php 7, but this one works great)
$token = bin2hex(openssl_random_pseudo_bytes(16));
// Add the token to the user
update_user_meta( $user->id, 'confirm_email_token', $token );
// Get your login url
$log_in_url = wp_login_url();
// Add user id and token to the url
$url = add_query_arg(
array(
'token' => $token,
'user_id' => $user->id
),
$log_in_url
);
//
$wp_new_user_notification_email['subject'] = 'Welcome on our website, please confirm your email';
$wp_new_user_notification_email['message'] = 'Blablabla... the url to confirm is: '. $url;
return $wp_new_user_notification_email;
}
6. Hook on the login page to check the $_GET, looking for user_id and token.
Here we check the token and the user. If everything is okay, update the user meta has_confirm_email to 1, so the user can connect, and add a message : "Your email has been confirmed, you can now log in"
add_action( 'login_init', 'custom_login_init');
function custom_login_init(){
if(!empty($_GET['token']) && !empty($_GET['user_id'])) {
if(get_the_author_meta( 'confirm_email_token', $_GET['user_id']) === $_GET['token']) {
// Set the has_confirm_email to 1 so the user can now log in
update_user_meta( $user_id, 'has_confirm_email', 1);
update_user_meta( $user_id, 'confirm_email_token', '');
echo 'Your email has been confirmed, you can now log in';
}
}
}
7. Time for thinking
Okay, after all of his, i'm gonna think a little, and read what i have tell you, to check if there is no mistake ^^. Tell me if you need more explanations.
I think this is a good start for you, and if you find the right hooks, you will achieve this rapidly.
Be careful on some hooks that i have used, because your theme may have use a custom registration or something.
Here is what I did:
added a column in the table wp_users to receive the email confirmation code
built a plugin (details here) called user-emails that allows me to bypass the first email sent upon registration by redefining the function wp_new_user_notification (in which I generate the confirmation code, add it to the user in the DB and send a confirmation email of my own sauce)
redefined the wp_authenticate function inside the same plugin user-emails to allow me to check if the email has been confirmed (column value not null)
created a page for the confirmation with the email and code passed to it that, in case of success, display a message and a link to the home page in order to login
finally got my hands on that one tiny line of code responsible for the auto login after registration located in the page user_auth.php inside the theme folder itself (that file also contains the layout for the login and registration form)
wp_set_auth_cookie( $user_id, true, $secure_cookie );
made sure to display a message after registration informing the user to check his email for the confirmation email

wordpress programmatically logout everywhere else

How can I logout from every where else this place in wordpress? [not wp_logout() because it destroys current session only]
I used this function but it did not work:
WP_User_Meta_Session_Tokens::destroy_other_sessions();
You must first get the user id, then get the token, protect it and destroy the other sessions. Here's a working example:
global $wp_session;
$user_id = get_current_user_id();
$session = wp_get_session_token();
$sessions = WP_Session_Tokens::get_instance($user_id);
$sessions->destroy_others($session);
Here is a working version hooked to the init action.
/**
* Destroys all sessions for this user except the one with the given token (presumably the one in use).
*/
add_action( 'init', 'destroy_all_other_current_user_sessions' );
function destroy_all_other_current_user_sessions() {
$manager = WP_Session_Tokens::get_instance( get_current_user_id() );
$manager->destroy_others( wp_get_session_token() );
};

Hook in woocommerce on subscription expiration

How can I create an Hook in woocommerce (wordpress) to be able to trigger a function when a subscription expires?
Something like this
add_action('woocommerce_subscription_expired', 'my_function', 10, 1);
function my_function($order_id) {
echo "yeahhhh";
}
UPDATE
I found in the developer doc the following
Action: 'subscription_expired'
Parameters: $user_id Integer The ID of the user for whom the
subscription expired. $subscription_key String The key for the
subscription that just expired on the user’s account.
Description: Triggered when a subscription reaches the end of its
term, if a length was set on the subscription when it was purchased.
This event may be triggered by either WooCommerce Subscriptions, which
schedules a cron-job to expire each subscription, or by the payment
gateway extension which can call the
WC_Subscriptions_Manager::expire_subscription() function directly.
Where should I place this to have it working
Thanks
Looks like you are almost there. You just need to use Subscription's action hook and pass the correct parameters. This seems like a start:
add_action( 'subscription_expired', 'my_function', 10, 2 );
function my_function( $user_id, $subscription_key ) {
$sub= wcs_get_subscription_from_key( $subscription_key );
// do something
}
The wcs_get_subscription_from_key is now deprecated, since version 2.0.
You can now use:
add_action( 'woocommerce_subscription_status_expired', 'my_on_subscription_expired', 10 );
function my_on_subscription_expired( $subscription ) {
// do something
}
More hooks (and this one) at Subscriptions Action Reference

Change current user role with form selection on update (not entry creation)

I'm using Formidable forms in Wordpress and have a form that registers users. I can use a radio button in the registration form to determine what their role will be. I have a hook for that. What I need, however, is a hook that will change the user role based on radio selection on form entry UPDATE. My current code only works on entry creation. Here is the code that assigns roles on registration:
add_filter('frmreg_new_role', 'frmreg_new_role', 10, 2);
function frmreg_new_role($role, $atts){
extract($atts);
if($form->id == 8){
if($_POST['item_meta'][280] == 'Job Applicant')
$role = 'applicant';
}
return $role;
}
"8" is the id of the form itself. "280" is the id of the radio button field where "Job Applicant" is one of the values. And "applicant" is one of our site's user roles.
I need an adaptation of this that will change the role after the entry has already been created, on update. The closest thing I can find is a hook that changes user role after a successful PayPal payment. I tried to combine the two but I couldn't get it to work. Here is the PayPal generated user role changer:
add_action('frm_payment_paypal_ipn', 'change_paid_user_role');
function change_paid_user_role($args){
$new_role = 'contributor'; //change this to the role paid users should have
if(!$args['pay_vars']['completed'])
return; //don't continue if the payment was not completed
if(!$args['entry']->user_id or !is_numeric($args['entry']->user_id))
return; //don't continue if not linked to a user
$user = get_userdata($args['entry']->user_id);
if(!$user)
return; //don't continue if user doesn't exist
$updated_user = (array)$user;
// Get the highest/primary role for this user
$user_roles = $user->roles;
$user_role = array_shift($user_roles);
if ( $user_role == 'administrator' )
return; //make sure we don't downgrade any admins
$updated_user['role'] = $new_role;
wp_update_user($updated_user);
}
UPDATE: the action hook should probably be: frm_after_create_entry according to Formidable forums.
Many times, researching the core files is more productive than any Google or Manual. Dropping the whole plugin directory in a code editor and researching for the string frm_after_create_entry takes us to the create() method where this hook happens.
After that, there's the update() method and it provides the action hook: frm_after_update_entry.
This hook passes two parameters: $id and $new_values['form_id']. I cannot reproduce your setup, so testing the hook is up to you.
Reference: Actions and filters are NOT the same thing…
In this example:
add_action( 'frm_after_update_entry', 'change_role_to_staff', 10, 2);
function change_role_to_staff( $form_id, $values ){
var_dump($values);
die();
}
As this is an action hook, nothing has to be returned.
There's no $roles or $atts, the parameters are the form ID and Values.
What you're looking for is inside $values.
var_dump() and die() are for debugging purposes and must be removed at once after testing.
Do your wp_update_user with this values and adapting your previous code.

Will get_current_user_id() in wordpress fire a database request?

I am using get_current_user_id() and wp_get_current_user() multiple times in my plugin. Are these functions going to send a database request everytime I use them or is the user object of the current user always available (cause wordpress requests it anyway on initializing)?
Would it be better to declare a global var at the start of my script with the current user info?
<?php
global $currentUser;
$currentUser = wp_get_current_user();
function function1() {
global $currentUser;
echo $currentUser->ID;
}
?>
No it will not. It will read the wordpress global variable $current_user

Resources