Make WordPress Core

Opened 13 years ago

Closed 11 years ago

#18771 closed defect (bug) (worksforme)

Reset Password link generation

Reported by: binaryweb's profile binaryweb Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.2.1
Component: Users Keywords: reporter-feedback
Focuses: Cc:


I have been having problems with the login following a reset password.

A user click the "forgotten password" link and then after receiving the email clicks the link in the email to reset their password submits their new password gets a message that says "You have successfully reset your passoword. Log in" The link for login is not being generated correctly which is causing them to get a "Invalid Key" error.

Here is what I have dont to temporarily resolve the issue:

in wp-login.php I modified the following lines of code:

changed Line 207:

if ( empty($key) ) {

to this:

if ( empty($key) || preg_match('/[^a-z0-9]/i',$key) != 0) {

Removing special characters from the key that gets emailed to the users when they click the "forgotten password" link on the login page.

Commented out Line 444:

login_header(__('Password Reset'), '<p class="message reset-pass">' . __('Your password has been reset.') . ' <a href="' . site_url('wp-login.php', 'login') . '">' . __('Log in') . '</a></p>');

then slightly modified it removing the login link from the message

login_header(__('Password Reset'), '<p class="message reset-pass">' . __('Your password has been reset.') . '</p>');

This change forces the user to return to the homepage before logging in again and then they dont get the "invalid key" error.

It would be nice if there were a more permenant fix for this issue that wouldn't get lost when we update the next time.

Change History (10)

#1 @kawauso
13 years ago

The password retrieval key is generated using wp_generate_password() with $special_chars = false so the key should only have alphanumeric characters, but the function can be replaced and filtered.

Can you confirm if the issue persists when plugins are all deactivated and Twenty Eleven is being used?

#2 @kawauso
13 years ago

  • Keywords reporter-feedback added

#3 @binaryweb
13 years ago

  • Keywords reporter-feedback removed

I know about the $special_chars = false, i did the first step just to be absolutely sure.

Yes, the issue persists even when plugins are deactivated and default theme is being used.

#4 @solarissmoke
13 years ago

I'm not sure I understand what the problem is. The login link is just a link to wp-login.php - and has nothing to do with the password reset key. Could you give the exact steps to reproduce?

#5 @binaryweb
13 years ago

The problem is that the login link that when a user logs in using the login link that I removed in the code I edited (shown above) they are given an error that says "invalid key".

I am going to do some testing in the next couple of days because after thinking about the issue more I have realized that it could be a cookie issue since you are never redirected away from the login page after clicking the reset password link in the email.

will keep you posted on the status of my testing.

#6 @binaryweb
13 years ago

Ok after further testing it is not a cookie issue.

That said, I went back to the Twenty Ten theme instead of the Twenty Eleven theme since that didnt work and on the Twenty Ten theme the problem does not exist.

Any help would be appreciated.

#7 @solarissmoke
13 years ago

  • Keywords close added

I don't really see how the theme should affect the login/password reset pages, as those are all part of the back end. I suggest you take this to the forums for help and if there is indeed a bug in core, feel free to come back to this ticket.

#8 @dd32
13 years ago

Can you please post an example URL that's sent in the email, and the resulting link which causes the invalid key warning?

#9 @binaryweb
13 years ago


Link from email


The url that shows up for the page that causes the invalid key warming in the address bar is simply


I will post in the forms shortly. Thanks for your help.

Last edited 13 years ago by binaryweb (previous) (diff)

#10 @SergeyBiryukov
11 years ago

  • Keywords reporter-feedback added; close removed
  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed

Feel free to reopen with the steps to reproduce on a clean install if there's still a problem.

Note: See TracTickets for help on using tickets.