WordPress.org

Make WordPress Core

Opened 21 months ago

Last modified 8 weeks ago

#21314 new enhancement

Add password reset key expiration

Reported by: skithund Owned by:
Milestone: Future Release Priority: normal
Severity: minor Version: 3.4.1
Component: Users Keywords: has-patch needs-testing needs-refresh
Focuses: Cc:

Description

Password reset using correct user_activation_key is currently possible forever.

Attached is a patch which clears newly created user_activation_key after one week.

Attachments (1)

21314.diff (2.5 KB) - added by skithund 21 months ago.

Download all attachments as: .zip

Change History (3)

skithund21 months ago

comment:1 sirzooro21 months ago

  • Cc sirzooro added

comment:2 jeremyfelt8 weeks ago

  • Keywords needs-testing needs-refresh added
  • Milestone changed from Awaiting Review to Future Release

This seems sane to me. Better than having activation keys hanging out in the wild. Definitely worth discussing for the future.

Can we use wp_update_user() for this rather than the direct query?

Note: See TracTickets for help on using tickets.