Comments on: How to Make the WordPress Login Cookie Last Longer Than Two Weeks

By: Manster

Manster — Fri, 06 Jan 2012 17:46:02 +0000

On wordpress 3.3.1 you will have to go to line 643 under pluggable.php

By: Rich

Rich — Mon, 07 Nov 2011 16:04:49 +0000

Great! this has been bugging me for ages. Thanks!

By: Michael Clark

Michael Clark — Tue, 12 Jul 2011 17:08:23 +0000

Josh, Sure you could make the expiration value fairly short. But if you make it too short, you won’t be able to do anything since you’ll always have to be logging in. And yes, it is a universal setting for all users. You could replace the code (I wonder if it has plugin hooks in WP 3.2) so that admin users are longer than authors. Realistically though, you’re probably better off leaving the login cookie at two weeks. Or maybe adding in additional security, such as limiting IP addresses that can log in, or simply logging what users are doing.

By: Josh

Josh — Tue, 12 Jul 2011 15:56:50 +0000

Is it possible that this could work in the other direction? And is this a universal setting for all users, or can specific user timeout periods be laid out in this file?

By: Michael Clark

Michael Clark — Thu, 23 Jun 2011 12:12:07 +0000

I’d guess you may be able to write a plugin that would change the login cookie. I’ve never played with manipulating cookies before, nor have I looked in the hooks that are available within WordPress for cookie manipulation. Sorry I can’t be of more help. You’re right though, it may be possible. To be honest though, I don’t quite understand what problem you’d be addressing by doing this. What’s wrong with requiring a new login?

By: Jake

Jake — Thu, 23 Jun 2011 05:00:17 +0000

Hi Michael, I was thinking that if i could read the cookie, store it’s contents in a variable, delete the existing cookie, and set a new cookie with details from the variable and with an extended expiry date, it may work? Right now, I’m trying to figure out how to read the contents of the cookie, and get them to echo out just to see what it puts out. Is there a function i need to call or is all the cookie information stored in a variable already?

By: Michael Clark

Michael Clark — Thu, 23 Jun 2011 04:19:27 +0000

Hi Jake, No, that is not possible. It’s just the way that cookies work. If you look at your cookies in your browser you’ll see the expiration date. I don’ know how each browser stores that information. It might be possible to manually tweak the expiration date of a cookie, but that’s a hassle.

It would be a major security problem if a web site could manipulate cookies without having to set them again. And if you are extending the amount of time a WordPress login cookie is valid for, you should want your user to have to login with their username and password.

By: Jake

Jake — Thu, 23 Jun 2011 04:10:52 +0000

Is there anyway to extend the expiry date in the cookie without having to get the user to log back in?

By: Joy

Joy — Wed, 08 Jun 2011 20:39:05 +0000

This is a great tip. It is definitely annoying to have to re-login so often. Did the recent update to WordPress (version 3+) address this issue. I simply save/store my passwords on the PC so it’s easy to just log back in when it prompts you, but I’m glad to now know that I can adjust the setting to delay “timeouts”.

By: Merna J

Merna J — Sat, 04 Jun 2011 08:03:10 +0000

Great article, thanks!

Many will find this a security issue, It however depends on your blogs popularity and damage it can be done if someone unauthorized gets access. Not that many strangers will actually sit in front of your private computer. There is one bad thing about it tho, if you have a unique password for your WordPress admins page, you will most likely forget it in a while if you haven’t been asked to type it in.

Merna J
Gothenburg, Sweden