Make WordPress Core

Opened 12 years ago

Closed 9 years ago

#21314 closed enhancement (duplicate)

Add password reset key expiration

Reported by: skithund's profile skithund Owned by:
Milestone: Priority: normal
Severity: minor Version: 3.4.1
Component: Users Keywords: has-patch needs-testing needs-refresh
Focuses: Cc:


Password reset using correct user_activation_key is currently possible forever.

Attached is a patch which clears newly created user_activation_key after one week.

Attachments (2)

21314.diff (2.5 KB) - added by skithund 12 years ago.
reset-password.patch (2.6 KB) - added by dllh 10 years ago.
non-cron approach

Download all attachments as: .zip

Change History (8)

12 years ago

#1 @sirzooro
12 years ago

  • Cc sirzooro added

#2 @jeremyfelt
10 years ago

  • Keywords needs-testing needs-refresh added
  • Milestone changed from Awaiting Review to Future Release

This seems sane to me. Better than having activation keys hanging out in the wild. Definitely worth discussing for the future.

Can we use wp_update_user() for this rather than the direct query?

#3 @dllh
10 years ago

I was thinking that a cron job might not be the best approach, as it depends entirely on there being traffic to the site to fire the code. I'm not sure whether a request to actually reset the password would cause the cron to clean up old keys to fire or not. I put together a different concept that sets a timestamp in usermeta on reset request, checks it when the reset link is visited, and deletes it to clean up upon successful login. I'm not sold on my approach but thought I'd put it out there for consideration alongside the other proposal.

10 years ago

non-cron approach

#4 follow-up: @hypertextranch
10 years ago

Just tossing this idea out there, what about expiring the reset link upon successful login instead/as well?

#5 in reply to: ↑ 4 @dllh
10 years ago

Replying to hypertextranch:

Just tossing this idea out there, what about expiring the reset link upon successful login instead/as well?

Yep, that happens with my patch because we delete the usermeta on login, and the reset link bails if the meta is empty, which it will be after login.

#6 @dd32
9 years ago

  • Milestone Future Release deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #32429.

Note: See TracTickets for help on using tickets.