Switch Cookie & Session
What Happens During a Switch
- The current user's ID and session are stored in a HMAC-signed cookie named
switchguard_origin. - The HMAC signature uses a secret derived from the site's
AUTH_KEYand the admin's user ID. - Cookie TTL is 172,800 seconds (48 hours). If not switched back within 48 hours, the origin is forgotten and you must log in again manually.
- The target user's session is established via
wp_set_current_user()andwp_set_auth_cookie().
Cookie Security
| Property | Value |
|---|---|
| Name | switchguard_origin |
| HTTP-only | Yes |
| SameSite | Lax |
| Expiry | 48 hours |
| Signature | HMAC (AUTH_KEY + admin user ID) |
- The HMAC signature prevents forging a switch-back as a different admin.
- An attacker who intercepts the cookie cannot determine the origin admin's credentials from it.