How to validate a user from ouside wordpress/php?

I’m working on an ajax application that will be embedded in a wordpress page. The ajax app exchanges data with servlets running on tomcat. Now the servlets need a way to determine if a request comes from a user that is logged in to wordpress. And if the user is logged in, the servlets also must be able to determine the users id in order to be able to query the database. If the user is not logged it, the request will be denied.

So in other words, I need to let a servlet perform a request only if the user who caused the request is logged in to wordpress (version 3.3.x). Both, the servlet (tomcat) and wordpress (apache2) run on the same physical machine and share the same database.

In theory this could easily be solved by doing the following:

  1. During wordpress logon, some user token gets stored in a javascript variable.
  2. The ajax app forwards the user token to the servlets on every call.
  3. The servlets use the token to query wordpress if it is valid (i.e. if the user is logged in) and perform or deny the request.

The question is how can this be implemented on the wordpress side?
Because, what makes the theory so complicated is the fact that i have not yet done any php programming.

First I was thinking of transmitting the wordpress_logged_in (auth) cookie to the servlet and let the servlet query wordpress if the auth cookie is still valid. But as it seems, this can’t be done, as wp_validate_auth_cookie() always fails, even if cookie-data of a logged on user is passed.
An other solution could be to develop a plugin that stores the sessionid and userid in a table, which could easily be queried by the servlets.
Or maybe there’s an other solution…

Solutions Collecting From Web of "How to validate a user from ouside wordpress/php?"

WordPress already has an API built in via an XMLRPC server. Meaning, you can make an XMLRPC request from your java app and verify a username/password. Unfortunately, there’s no way to just authenticate through it as is.

That said, it’s very easy to roll your own. Just hook into xmlrpc_methods, a filter, and add yours. The array key you add with be the xmlrpc method you call from your app, and the value will be the function that gets called by the WordPress XMLRPC server.

add_filter('xmlrpc_methods', 'wpse39662_add_login_method' );
 * Filters the XMLRPC methods to allow just checking the login/pass of
 * a given users
function wpse39662_add_login_method( $methods )
    $methods['wpse39662.login'] = 'wpse39662_check_login';
    return $methods;

And the callback function, wpse39662_check_login, would get one argument passed to it, the array of things sent to the XMLRPC server.

function wpse39662_check_login( $args )
    $username = $args[0];
    $password = $args[1];

    $user = wp_authenticate( $username, $password );

    if( is_wp_error( $user ) )
        return false;
    return true;

Here’s all that as a plugin. With that installed and XMLRPC enabled on your WP site, you should be able to make requests with some XMLRPC client (I’m sure Java has one).

Here’s the code I used to test the above (Python XMLRPC client).

>>> import xmlrpclib as xmlrpc
>>> s = xmlrpc.ServerProxy('')
>>> s.wpse39662.login('admin', 'password')

WordPress (currently) checks if the user is still logged in by checking on one of the cookies it gives out upon login. It constructs the contents of this cookie by doing some hashing. The details are in the “wp_generate_auth_cookie” function in /wp-includes/pluggable.php:

function wp_generate_auth_cookie($user_id, $expiration, $scheme = 'auth') {
    $user = get_userdata($user_id);

    $pass_frag = substr($user->user_pass, 8, 4);

    $key = wp_hash($user->user_login . $pass_frag . '|' . $expiration, $scheme);
    $hash = hash_hmac('md5', $user->user_login . '|' . $expiration, $key);

    $cookie = $user->user_login . '|' . $expiration . '|' . $hash;

    return apply_filters('auth_cookie', $cookie, $user_id, $expiration, $scheme);

You can re-create this algorithm (using this and the other auth_cookie functions) in your Java code to make the same checks. JS could be used to make sure the cookie gets sent to your servlet.

Otherwise XMLRPC might be a good idea. You could write a new method (as explained in another solution here) to validate the auth cookie (instead of validating username and password like is usually done).

Get the Exec-PHP plugin, and then make a WordPress page (not a post) with a nice permalink (http://mysite/user_id/) and the code on the get_current_user_id() API reference:

$user_id = get_current_user_id();
if ($user_id == 0) {
    echo 'You are currently not logged in.';
} else {
    echo 'You are logged in as user '.$user_id.'.';

You can then extract the cookies the client sends you and put them in a GET request for Then you’ll know whether the user is logged in and what their user ID is.

You could do something like this on the non-wp pages:

// Make sure ^ points to the root of your WP installation

if ( is_user_logged_in() ) {
   // Perform your request here


This is a one-file WordPress plugin that does the job:

function yournamespace_validateAuthCookie($cookie, $scheme = 'logged_in') {
    return wp_validate_auth_cookie($cookie, $scheme);

function yournamespace_new_xmlrpc_methods($methods) {
    $methods['yournamespace.validateAuthCookie'] = 'yournamespace_validateAuthCookie';
    return $methods;
add_filter('xmlrpc_methods', 'yournamespace_new_xmlrpc_methods');

It basically exposes a new XML-RPC method with which you can ask WordPress to validate the wordpress_logged_in_... cookie.

You then need to write some code to query this method and pass it the value of the wordpress_logged_in_... cookie.

This method will return either false (if the cookie doesn’t validate) or the user ID if the validation is successful.