WordPress.org

Make WordPress Core

Opened 9 years ago

Closed 6 years ago

#21314 closed enhancement (duplicate)

Add password reset key expiration

Reported by: skithund Owned by:
Milestone: Priority: normal
Severity: minor Version: 3.4.1
Component: Users Keywords: has-patch needs-testing needs-refresh
Focuses: Cc:

Description

Password reset using correct user_activation_key is currently possible forever.

Attached is a patch which clears newly created user_activation_key after one week.

Attachments (2)

21314.diff (2.5 KB) - added by skithund 9 years ago.
reset-password.patch (2.6 KB) - added by dllh 7 years ago.
non-cron approach

Download all attachments as: .zip

Change History (8)

@skithund
9 years ago

#1 @sirzooro
9 years ago

  • Cc sirzooro added

#2 @jeremyfelt
8 years ago

  • Keywords needs-testing needs-refresh added
  • Milestone changed from Awaiting Review to Future Release

This seems sane to me. Better than having activation keys hanging out in the wild. Definitely worth discussing for the future.

Can we use wp_update_user() for this rather than the direct query?

#3 @dllh
7 years ago

I was thinking that a cron job might not be the best approach, as it depends entirely on there being traffic to the site to fire the code. I'm not sure whether a request to actually reset the password would cause the cron to clean up old keys to fire or not. I put together a different concept that sets a timestamp in usermeta on reset request, checks it when the reset link is visited, and deletes it to clean up upon successful login. I'm not sold on my approach but thought I'd put it out there for consideration alongside the other proposal.

@dllh
7 years ago

non-cron approach

#4 follow-up: @hypertextranch
7 years ago

Just tossing this idea out there, what about expiring the reset link upon successful login instead/as well?

#5 in reply to: ↑ 4 @dllh
7 years ago

Replying to hypertextranch:

Just tossing this idea out there, what about expiring the reset link upon successful login instead/as well?

Yep, that happens with my patch because we delete the usermeta on login, and the reset link bails if the meta is empty, which it will be after login.

#6 @dd32
6 years ago

  • Milestone Future Release deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #32429.

Note: See TracTickets for help on using tickets.