Make WordPress Core


Ignore:
Timestamp:
01/16/2025 03:33:31 PM (6 months ago)
Author:
johnbillion
Message:

Users: Retain the current session when a user changes their password.

Prior to this change a new session was unnecessarily created when a user changed their own password.

Existing authentication cookies for the user will still be invalidated regardless of whether they share the same session token because session cookie keys contain a substring of the password hash.

Props snicco, narenin, johnbillion

Fixes #61366

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/user.php

    r59595 r59633  
    27812781    if ( $current_user->ID === $user_id ) {
    27822782        if ( isset( $plaintext_pass ) ) {
    2783             wp_clear_auth_cookie();
    2784 
    27852783            /*
    27862784             * Here we calculate the expiration length of the current auth cookie and compare it to the default expiration.
     
    27912789            $default_cookie_life = apply_filters( 'auth_cookie_expiration', ( 2 * DAY_IN_SECONDS ), $user_id, false );
    27922790
     2791            wp_clear_auth_cookie();
     2792
    27932793            $remember = false;
     2794            $token    = '';
     2795
     2796            if ( false !== $logged_in_cookie ) {
     2797                $token = $logged_in_cookie['token'];
     2798            }
    27942799
    27952800            if ( false !== $logged_in_cookie && ( (int) $logged_in_cookie['expiration'] - time() ) > $default_cookie_life ) {
     
    27972802            }
    27982803
    2799             wp_set_auth_cookie( $user_id, $remember );
     2804            wp_set_auth_cookie( $user_id, $remember, '', $token );
    28002805        }
    28012806    }
Note: See TracChangeset for help on using the changeset viewer.