WordPress.org

Make WordPress Core

Opened 16 months ago

Last modified 15 months ago

#38769 new defect (bug)

Possible password reset loop

Reported by: yetAnotherDaniel Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords: needs-patch
Focuses: ui Cc:

Description

Bug summary

After registering (wp-login.php?action=register) you get straight to the login screen with a small notice to check your email (wp-login.php?checkemail=registered). But logging-in is not even possible because users have to set their password via a link provided in their email in the first place. If users nevertheless try to login they get a misleading error message that could lead to an endless loop of password reset and the user will not be able to register.

Bug 1:
There should be no login form where a user cannot log-in.
(attachment 1)

Bug 2:
There should be the message that the user has to set the password first.
(attachment 2)

While these things seems to be tiny the results are severe.

Bug description

If users register they see after submitting the register form the login form with the message "Registration complete. Please check your email." on top. They often overlook this message and try to log-in even if they didn't set a password yet.

This leads to situations where users are not able to register:

  1. When users try to log-in directly after registration they get the message that the password is wrong. (see attachment)
  2. Because of the misstated error message they go to the "Lost your password?" form and try to get a new password.
  3. They now check their email for the first time and open the email from the registering (!) and not the "lost password" email.
  4. They click on the link for setting the password in the register email.
  5. This link is invalid because of step 2.
  6. They then try again to get a new password.
  7. They go back to their email account and open the email from step 2 (!) and open this link. Because of step 6 the link is again invalid.
  8. They try to get a new password.
  9. And so on.

Having the impression to be trapped in an endless loop they often think that the website is full of bugs, are not interested to register anymore or contact the support for removing bugs.

I could provide dozen if not even hundreds of cases where this happened to my website.

How to reproduce the bugs?

  1. Try to register.
  2. Try to log-in even without a password (put your usual password in it).
  3. Set you password back after the error message.
  4. Go to your email account and open the register email. Click on the link.
  5. You get the message that the link is invalid. Set you password back.
  6. Open the email from step 3 and so on.

tl;dr

After registration you see the login form even if you don't set a password yet. If you try to log-in (even if you don't set a password yet) you get a misleading error message that could trap you in an endless password reset process. Users than give up to register or contact support. It is not just theory. Every day, I lose angry customers or have to support them. Please have a look to the attachments.

Attachments (2)

registration-bug.png (35.9 KB) - added by yetAnotherDaniel 16 months ago.
Bug 1
login-bug.png (43.0 KB) - added by yetAnotherDaniel 16 months ago.
Bug 2

Download all attachments as: .zip

Change History (7)

@yetAnotherDaniel
16 months ago

Bug 2

#1 @yetAnotherDaniel
16 months ago

Ticket #37070 refers to one of the bugs.

Last edited 16 months ago by yetAnotherDaniel (previous) (diff)

#2 @yetAnotherDaniel
16 months ago

  • Severity changed from normal to major

#3 @yetAnotherDaniel
16 months ago

Additional note:

If there is a small delay in the email delivery process the user will not even receive the current password reset email. Therefore, the user can only open the invalid link of an older password reset email and has no chance at all to escape the endless password reset loop trap.

#4 @obenland
15 months ago

  • Focuses ui added
  • Keywords needs-patch added
  • Severity changed from major to normal
  • Version 4.6.1 deleted

We could hide the password reset link in the error message if the registration is not complete. It would still be available underneath the login box but I think that's fine.

#5 @obenland
15 months ago

  • Summary changed from Bugs in wp-login.php to Possible password reset loop
Note: See TracTickets for help on using tickets.