Using WordPress ‘auth_cookie_malformed’ PHP action

by

The auth_cookie_malformed WordPress PHP action fires if an authentication cookie is malformed.

Usage

add_action('auth_cookie_malformed', 'your_custom_function', 10, 2);

function your_custom_function($cookie, $scheme) {
    // your custom code here
}

Parameters

  • $cookie (string) – Malformed auth cookie.
  • $scheme (string) – Authentication scheme. Values include ‘auth’, ‘secure_auth’, or ‘logged_in’.

More information

See WordPress Developer Resources: auth_cookie_malformed

Examples

Log malformed cookies

Log the details of malformed cookies for debugging purposes.

add_action('auth_cookie_malformed', 'log_malformed_cookies', 10, 2);

function log_malformed_cookies($cookie, $scheme) {
    error_log("Malformed auth cookie: {$cookie} | Scheme: {$scheme}");
}

Notify admin on malformed cookies

Send an email to the admin if a malformed cookie is detected.

add_action('auth_cookie_malformed', 'notify_admin_malformed_cookie', 10, 2);

function notify_admin_malformed_cookie($cookie, $scheme) {
    $admin_email = get_option('admin_email');
    $subject = 'Malformed Auth Cookie Detected';
    $message = "A malformed authentication cookie has been detected.\n\nCookie: {$cookie}\nScheme: {$scheme}";
    wp_mail($admin_email, $subject, $message);
}

Show error message to users

Display an error message to users when a malformed cookie is detected.

add_action('auth_cookie_malformed', 'show_error_message', 10, 2);

function show_error_message($cookie, $scheme) {
    wp_die('An error occurred with your authentication. Please try logging in again.');
}

Invalidate session and force logout

Invalidate the user’s session and force them to log out if a malformed cookie is detected.

add_action('auth_cookie_malformed', 'force_logout_on_malformed_cookie', 10, 2);

function force_logout_on_malformed_cookie($cookie, $scheme) {
    wp_clear_auth_cookie();
    wp_redirect(wp_login_url());
    exit;
}

Log and block access to specific scheme

Log the details of malformed cookies for a specific scheme and block access.

add_action('auth_cookie_malformed', 'block_malformed_cookie_scheme', 10, 2);

function block_malformed_cookie_scheme($cookie, $scheme) {
    if ($scheme === 'secure_auth') {
        error_log("Blocked access due to malformed auth cookie: {$cookie} | Scheme: {$scheme}");
        wp_die('Access blocked due to security concerns. Please contact the administrator.');
    }
}