Make WordPress Core


Ignore:
Timestamp:
06/04/2024 02:42:29 PM (3 months ago)
Author:
audrasjb
Message:

Login and Registration: Flush user_activation_key after successfully login.

This changeset ensures the user_activation_key is flushed after successful login, so reset password links can not be used anymore after the user successfully log into their dashboard.

Props nsinelnikov, rajinsharwar, Rahmohn, oglekler, hellofromTonya.
Fixes #58901.
See #32429

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/user.php

    r58261 r58333  
    111111
    112112    wp_set_auth_cookie( $user->ID, $credentials['remember'], $secure_cookie );
     113
     114    /**
     115     * @global wpdb $wpdb WordPress database abstraction object.
     116     */
     117    global $wpdb;
     118
     119    // Flush `user_activation_key` if exists after successful login.
     120    if ( ! empty( $user->user_activation_key ) ) {
     121        $wpdb->update(
     122            $wpdb->users,
     123            array(
     124                'user_activation_key' => '',
     125            ),
     126            array( 'ID' => $user->ID ),
     127            array( '%s' ),
     128            array( '%d' )
     129        );
     130
     131        // Empty user_activation_key object.
     132        $user->user_activation_key = '';
     133    }
     134
    113135    /**
    114136     * Fires after the user has successfully logged in.
Note: See TracChangeset for help on using the changeset viewer.