Please use exit instead of die();
Hello,
Please try with using wp_verify_nonce instead of check_ajax_referer , here is an useful link for your reference : https://wordpress.stackexchange.com/questions/48110/wp-verify-nonce-vs-check-admin-referer
-
This reply was modified 5 years, 5 months ago by
sandeep812.
Hello,
Can you post your JS code?
here ids the javascript code:
function loginAuth(){
if (!userName.value || !passWord.value) {
loginMessage.classList.add('wrong');
submitLogin.disabled = false;
loginMessage.innerHTML = 'Please enter both login credentials.';
} else {
jQuery(document).ready( function($) {
$.post( live_reserch.ajaxurl, { user_name : userName.value, password : passWord.value, remember : remember.value, _wpnonce : live_reserch.nonce, action : 'prt_login'},
function( data ) {
var parcedData = JSON.parse( data.replace(0, '') );
if ( parcedData.status == true) {
submitLogin.disabled = true;
loginMessage.classList.add('right');
loginMessage.innerHTML = parcedData.message;
setTimeout(function(){
location.reload(true);
}, 1200);
} else {
submitLogin.disabled = false;
loginMessage.classList.add('wrong');
loginMessage.innerHTML = parcedData.message;
}
}
);
} );
}
}
also I tried to implement the suggestion you guys ave kindly made, but nothing is changed I still get as Ajax return the whole page instead of the json data I’m expecting to receive.
Any idea? Thank in advance.
Did you try viewing the whole page returned from AJAX? That page may contain some error messages.
I just did it and the page returned is exactly as the page where the ajax request has started. no error Messages.
what makes everything strange is that the code work perfectly if the login credentials are correct. The wp_signon(), according with the documentation should return the WP_User if it succeed and an error is it doesn’t.
when it succeed it execute this part of the code:
echo json_encode(
array(
'status' => true,
'message' => 'The login was succesfull. Reloading the page...'
)
);
while if it not succeed if should enter in the if statement and execute this other part:
if( is_wp_error( $login_ststus ) ){
echo json_encode(
array(
'status' => false,
'message' => 'Wrong login credentials.'
)
);
die();
}
As you can see both parts of the code end generating some json data, the only problem is that when the $login_ststus = wp_signon( $cred, true ); is executed with the wrong credentials generating an error, somehow it stop the Ajax handling function and return the page.
What concern me is that I’ve seen using this method in some online tutorial and it work just fine for them. Am I doing something wrong?
I used a trick to make the Ajax handling function work, I wrote my own function to check the login credentials.
I know it’s not the proper way to do it, but I really don’t know where the problem is.
Here is the function used to check the login credentials.
function prt_verify_login_credentials( $cred ){
global $wpdb;
$user_name = $cred['user_login'];
$password = $cred['user_password'];
$rm_sql = " SELECT u.ID, u.user_pass FROM $wpdb->users AS u WHERE u.user_login = '{$user_name}' OR u.user_email = '{$user_name}' ";
$user = $wpdb->get_results( " {$rm_sql} " , OBJECT );
if ( count($user) == 1) {
$user_found = $user[0];
if ( wp_check_password( $password, $user_found->user_pass, $user_found->ID ) ) {
$user_status = true;
} else {
$user_status = false;
}
} else {
$user_status = false;
}
return $user_status;
}
I changed the Ajax handling function into:
function prt_login(){
if ( wp_verify_nonce( $_POST['_wpnonce'], 'wp_rest' ) ){
if ( $_POST['remember'] == 'true' ) {
$rmbr = true;
} else {
$rmbr = false;
}
$user_name = sanitize_text_field( $_POST['user_name'] );
$cred = array(
'user_login' => $user_name,
'user_password' => $_POST['password'],
'remember' => $rmbr
);
if( !prt_verify_login_credentials( $cred ) ){
echo json_encode(
array(
'status' => false,
'message' => 'Wrong login credentials.'
)
);
die();
}
$login_ststus = wp_signon( $cred, true );
echo json_encode(
array(
'status' => true,
'message' => 'The login was succesfull. Reloading the page...'
)
);
} else {
// if the nonce is not verified it dies
die();
}
die();
}
Now I get the right json data in both cases; login credentials verified or non.
The only problem is that now since I use my own function and it has been only few month since i started writing my own code; I don’t want to make some rookie mistake and leave the door open. Can please someone with more experience tell me if my code is safe and eventually what shell I do to make it more safer?
