Changeset 33019 for trunk/src/wp-login.php

Timestamp:

07/01/2015 06:32:07 AM (11 years ago)

Author:

dd32

Message:

Expire password reset links after 24 hours (by default). This causes existing password reset links to become invalid.

Props markjaquith, voldemortensen, johnbillion, MikeHansenMe, dd32
See #32429

File:

• trunk/src/wp-login.php (modified) (2 diffs)

trunk/src/wp-login.php

@@ -364 +364 @@
         $wp_hasher = new PasswordHash( 8, true );
     }
-    $hashed = $wp_hasher->HashPassword( $key );
+    $hashed = time() . ':' . $wp_hasher->HashPassword( $key );
     $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) );
 
@@ -529 +529 @@
 
     if ( isset( $_GET['error'] ) ) {
-        if ( 'invalidkey' == $_GET['error'] )
-            $errors->add( 'invalidkey', __( 'Sorry, that key does not appear to be valid.' ) );
-        elseif ( 'expiredkey' == $_GET['error'] )
-            $errors->add( 'expiredkey', __( 'Sorry, that key has expired. Please try again.' ) );
+        if ( 'invalidkey' == $_GET['error'] ) {
+            $errors->add( 'invalidkey', __( 'Your password reset link appears to be invalid. Please request a new lnk below.' ) );
+        } elseif ( 'expiredkey' == $_GET['error'] ) {
+            $errors->add( 'expiredkey', __( 'Your password reset link has expired. Please request a new link below.' ) );
+        }
     }