Using WordPress ‘auth_cookie_bad_session_token’ PHP action

The auth_cookie_bad_session_token WordPress PHP action is triggered when a bad session token is encountered during user authentication.

Usage

add_action('auth_cookie_bad_session_token', 'your_custom_function', 10, 1);

function your_custom_function($cookie_elements) {
    // Your custom code here
}

Parameters

  • $cookie_elements (string[]): Authentication cookie components. None of the components should be assumed to be valid as they come directly from a client-provided cookie value.
    • username (string): User’s username.
    • expiration (string): The time the cookie expires as a UNIX timestamp.
    • token (string): User’s session token used.
    • hmac (string): The security hash for the cookie.
    • scheme (string): The cookie scheme to use.

More information

See WordPress Developer Resources: auth_cookie_bad_session_token

Examples

Log invalid session token

Log invalid session tokens for later analysis.

add_action('auth_cookie_bad_session_token', 'log_invalid_session_token', 10, 1);

function log_invalid_session_token($cookie_elements) {
    // Log the invalid session token
    error_log('Invalid session token: ' . $cookie_elements['token']);
}

Notify user about invalid session

Send an email notification to the user when an invalid session token is encountered.

add_action('auth_cookie_bad_session_token', 'notify_user_invalid_session', 10, 1);

function notify_user_invalid_session($cookie_elements) {
    $user = get_user_by('login', $cookie_elements['username']);
    if ($user) {
        $subject = 'Invalid session detected';
        $message = 'An invalid session token was detected for your account.';
        wp_mail($user->user_email, $subject, $message);
    }
}

Block IP address with invalid session token

Temporarily block IP addresses that provide invalid session tokens.

add_action('auth_cookie_bad_session_token', 'block_ip_invalid_session', 10, 1);

function block_ip_invalid_session($cookie_elements) {
    $ip_address = $_SERVER['REMOTE_ADDR'];
    // Block IP address for 1 hour
    set_transient('block_ip_' . $ip_address, true, 3600);
}

Track invalid session tokens count

Keep a count of invalid session tokens for each user.

add_action('auth_cookie_bad_session_token', 'track_invalid_session_count', 10, 1);

function track_invalid_session_count($cookie_elements) {
    $user = get_user_by('login', $cookie_elements['username']);
    if ($user) {
        $invalid_sessions = (int) get_user_meta($user->ID, 'invalid_sessions', true);
        update_user_meta($user->ID, 'invalid_sessions', $invalid_sessions + 1);
    }
}

Invalidate all user sessions on invalid session token

Invalidate all sessions for the user when an invalid session token is encountered.

add_action('auth_cookie_bad_session_token', 'invalidate_all_sessions', 10, 1);

function invalidate_all_sessions($cookie_elements) {
    $user = get_user_by('login', $cookie_elements['username']);
    if ($user) {
        wp_destroy_all_sessions($user->ID);
    }
}