Login with special characters does not work (password problem)

I tried the exact same user and password with wp_authenticate(), it returns the correct user. wp_signon() ends up calling wp_authenticate(), so it’s no surprise the same result occurs.

Calling wp_authenticate() simply returns either a WP_User object or a WP_Error object. It doesn’t actually log anyone in, it merely confirms if the user and password are correct or not.

If you actually want someone to become logged in, use wp_set_auth_cookie(). This function does not verify passwords, it’ll log in any valid user without any additional verification. Use carefully ??

Hey, thank you for your quick response! =)

I’m aware of the fact, that this is not how you log a user in. It’s just about checking a provided password for a specific user.

Nevertheless this workflow is reproducable for me and does not work:
Create new user on homepage -> Choose any username -> Choose password A*B”C§D3E^F -> Providing wp_authenticate() with data -> Error (wrong password)

This workflow does not work either:
Create new user on homepage -> Choose any username -> Choose any password -> Change password to A*B”C§D3E^F -> Providing wp_authenticate() with data -> Error (wrong password)

EDIT: Here is the code I am using, maybe I am doing something wrong?

?php

require_once("wp-includes/class-phpass.php");
require_once("wp-load.php");

$user = 'Testorino';
$pass = 'A*B"C§D3E^F';
$hash = '$P$BkzuqC7u7VcELPtIrI7oB2Pa8cdX4J0';

print_r("user:          " . $user . "</br>");
print_r("pass:          " . $pass . "</br>");
print_r("hash:          " . $hash . "</br>");
print_r("</br>");
print_r("</br>");

$wp_hasher = new PasswordHash( 8, true );
$checkPass_phpass = $wp_hasher->CheckPassword($pass, $hash);
print_r("Check with -phpass-: " . $checkPass_phpass . "</br>");

if($checkPass)
{
	print_r("checkpass TRUE <br>");	
}
else
{
	print_r("checkpass NULL or FALSE! <br>");	
}
print_r("-----------------------------------</br>");

$checkPass_WP = wp_check_password($pass, $hash);
print_r("Check with -wp_check_password-: " . $checkPass_WP . "</br>");

if($checkPass_WP)
{
	print_r("checkpass_WP TRUE </br>");	
}
else
{
	print_r("checkpass_WP NULL or FALSE! </br>");
}
print_r("-----------------------------------</br>");

$check_WPAUTH = wp_authenticate($user, $pass);
if(is_wp_error( $check_WPAUTH ))
{
	print_r("Check with -wp_authenticate-: WRONG! </br>");
	print_r($check_WPAUTH->get_error_message() . "</br>");
}
else
{
	print_r("heck with -wp_authenticate-: CORRECT! </br>");
}
print_r("-----------------------------------</br>");

$creds = array(
		'user_login'    => $user,
		'user_password' => $pass,
		'remember'      => false
	);

	$user = wp_signon( $creds, false );

	if ( is_wp_error( $user ) ) 
	{
		print_r("check with -wp_signon-: FAILED! </br>");
		print_r($user->get_error_message());
	}
	else
	{
		print_r("check with -wp_signon-: SUCCESS!</br>");
	}

?>

• This reply was modified 2 years, 5 months ago by lightyarn.
• This reply was modified 2 years, 5 months ago by lightyarn.

The problem is the " character in the password. When you set it using WP it gets escaped so that it is handled properly. You haven’t escaped it in your code, so there is a mismatch in interpreting the password string. If you set $pass like so:
$pass = ‘A*B\”C§D3E^F’;
it’ll work. \ isn’t a password char, it’s an escape sequence for the double quote.

Ah I see. Doing this for the hard-coded test php script would definitely fix this particular case.

Of course this solution needs to be applied for the real use case where the password will be whatever the user types in. Most certainly they will not automatically care about escaping any chars in their password…
I did some research myself and it seems that wp_slash(password) should do the trick. Could be interesting for anyone who has this kind of problem.

It remains kind of “odd” that WordPress does not store your password EXACTLY the way you typed it in but decides to add some characters to it. Of course you never notice it while staying in the same ecosystem but when calling from external this is….strange.

This should also be in the documentation! Reading about logging in, checking password, etc it says nothing about “Hey you should escape the provided password because we do it too on registration”

The slashed quote isn’t due to WP, that’s how the form data arrives. I don’t know where it gets slashed, client side, server process, PHP process? I only know we need to unslash content coming in from form fields which might be anything beyond plain ASCII text. Apparently with passwords, WP processes them without doing so. When you add a slash in the hardcoded value, what you’re doing is emulating the way form data arrives.