How to get the current user also when the core function is not available

Sometimes you need to know the current user who is logged in, but your code runs before the WordPress core function wp_get_current_user is available.

So, is it still possible to get the current user? Of course, it is. We just need to read the cookies and have access to the constant LOGGED_IN_COOKIE.

About reading the cookies, no problem, and the constant LOGGED_IN_COOKIE is available before any plugin and the theme load, so we have no excuses, we have all that we need and can get the current user in our plugin or theme, no matter which hook is firing.

Here you have the function that gets the current user also before the WP core function is available during the parsing flow:

 

function jose_get_current_user() {
    if( function_exists( 'wp_get_current_user' ) ) return wp_get_current_user(); //If the core function is availablle we use it and return
    if( !defined( 'LOGGED_IN_COOKIE' ) || !isset( $_COOKIE[LOGGED_IN_COOKIE] ) ) return false;
    $cookie = $_COOKIE[LOGGED_IN_COOKIE];
    if ( empty( $cookie ) ) {
        if ( empty( $_COOKIE[ LOGGED_IN_COOKIE] ) ) {
            return false;
        }
    }
    $cookie_elements = explode( '|', $cookie );
    if ( count( $cookie_elements ) !== 4 ) {
        return false;
    }
    if( isset( $cookie_elements[0] ) && $cookie_elements[0] && '' !== $cookie_elements[0] ){
        global $wpdb;
        $user = $wpdb->get_row(
        $wpdb->prepare(
                "SELECT * FROM $wpdb->users WHERE user_login = %s LIMIT 1",
                sanitize_user( $cookie_elements[0] )
            )
        );
        if(
            $user
            && is_object( $user )
            && isset( $user->user_login )
            && sanitize_user( $user->user_login ) === $user->user_login
            && isset( $user->user_email )
            && $user->user_email === sanitize_email( $user->user_email )
            && isset( $user->ID )
            && ''.absint( $user->ID ) === ''.$user->ID
        ){
            //It's a valid user
            return $user;
        }
    }
    return false;
}

 

We immediately check if the core function wp_get_current_user is available. If so, we return the core function. This will happen when n your code you use the function above, but you could use the core function wp_get_current_user.

Then we check that the constant LOGGED_IN_COOKIE is defined and the logged-in cookie is set, if not so we can’t get the current user and we return false without disturbing the database for nothing.

Then we get the username from the cookies and we create a query to get the user object.

If the user object is valid, we return the user object.

You will need the function above in rare cases when wp_get_current_user is not available, e.g. before the action “plugiins_loaded” is fired, in all other cases, better you use the WP core function.

Are you wondering if this function is safe? Could someone visit the page with a fake cookie that includes the username of a user with high privileges?

The constant LOGGED_IN_COOKIE that we use in the function is defined by the WordPress core, and it’s something that looks like

wordpress_logged_in_dsflkj234fdskl3gfdkj35lkj543lkjgdfgdkklj

 

So, the bad guys should guess something like that to exploit this function and pretend to be users with high privileges.