WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 10 months ago

#18771 closed defect (bug) (worksforme)

Reset Password link generation

Reported by: binaryweb Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.2.1
Component: Users Keywords: reporter-feedback
Focuses: Cc:

Description

I have been having problems with the login following a reset password.

A user click the "forgotten password" link and then after receiving the email clicks the link in the email to reset their password submits their new password gets a message that says "You have successfully reset your passoword. Log in" The link for login is not being generated correctly which is causing them to get a "Invalid Key" error.

Here is what I have dont to temporarily resolve the issue:

in wp-login.php I modified the following lines of code:

changed Line 207:

if ( empty($key) ) {

to this:

if ( empty($key) || preg_match('/[^a-z0-9]/i',$key) != 0) {

Removing special characters from the key that gets emailed to the users when they click the "forgotten password" link on the login page.

Commented out Line 444:

login_header(__('Password Reset'), '<p class="message reset-pass">' . __('Your password has been reset.') . ' <a href="' . site_url('wp-login.php', 'login') . '">' . __('Log in') . '</a></p>');

then slightly modified it removing the login link from the message

login_header(__('Password Reset'), '<p class="message reset-pass">' . __('Your password has been reset.') . '</p>');

This change forces the user to return to the homepage before logging in again and then they dont get the "invalid key" error.

It would be nice if there were a more permenant fix for this issue that wouldn't get lost when we update the next time.

Change History (10)

comment:1 kawauso3 years ago

The password retrieval key is generated using wp_generate_password() with $special_chars = false so the key should only have alphanumeric characters, but the function can be replaced and filtered.

Can you confirm if the issue persists when plugins are all deactivated and Twenty Eleven is being used?

comment:2 kawauso3 years ago

  • Keywords reporter-feedback added

comment:3 binaryweb3 years ago

  • Keywords reporter-feedback removed

I know about the $special_chars = false, i did the first step just to be absolutely sure.

Yes, the issue persists even when plugins are deactivated and default theme is being used.

comment:4 solarissmoke3 years ago

I'm not sure I understand what the problem is. The login link is just a link to wp-login.php - and has nothing to do with the password reset key. Could you give the exact steps to reproduce?

comment:5 binaryweb3 years ago

The problem is that the login link that when a user logs in using the login link that I removed in the code I edited (shown above) they are given an error that says "invalid key".

I am going to do some testing in the next couple of days because after thinking about the issue more I have realized that it could be a cookie issue since you are never redirected away from the login page after clicking the reset password link in the email.

will keep you posted on the status of my testing.

comment:6 binaryweb3 years ago

Ok after further testing it is not a cookie issue.

That said, I went back to the Twenty Ten theme instead of the Twenty Eleven theme since that didnt work and on the Twenty Ten theme the problem does not exist.

Any help would be appreciated.

comment:7 solarissmoke3 years ago

  • Keywords close added

I don't really see how the theme should affect the login/password reset pages, as those are all part of the back end. I suggest you take this to the wordpress.org forums for help and if there is indeed a bug in core, feel free to come back to this ticket.

comment:8 dd323 years ago

Can you please post an example URL that's sent in the email, and the resulting link which causes the invalid key warning?

comment:9 binaryweb3 years ago

@DD32

Link from email

wp-login.php?action=rp&key=io63fUGQu93JMuLfdcao&login=USERNAME


The url that shows up for the page that causes the invalid key warming in the address bar is simply
wp-login.php




@solarissmoke

I will post in the WP.org forms shortly. Thanks for your help.

Version 3, edited 3 years ago by binaryweb (previous) (next) (diff)

comment:10 SergeyBiryukov10 months ago

  • Keywords reporter-feedback added; close removed
  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed

Feel free to reopen with the steps to reproduce on a clean install if there's still a problem.

Note: See TracTickets for help on using tickets.