Make WordPress Core

Opened 6 years ago

#42610 new defect (bug)

Admin created account password reset process not reverse proxy friendly

Reported by: normjhansen's profile normjhansen Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.9
Component: Login and Registration Keywords:
Focuses: Cc:


WordPress newbie, so feel free to point me to a better resolution. Couldn't find anything quite like this.

Have WP running mostly correctly behind a reverse proxy. So no one ever directly touches blog.<domain>.com (the WP site), instead they access it through www.<domain>.com/blog

If I create user accounts in the admin, it sends initial password reset links to the new accounts, which have a format like www.<domain>.com/blog/wp-login.php?action=rp&key=<hash>&login=<user>

In wp-login.php, I see the case that catches the rp action, and it does something with the key and user parameters, then strips them off and redirects again to wp-login as follows:

wp_safe_redirect( remove_query_arg( array( 'key', 'login' ) ) );

I'm unclear on why this line doesn't incorporate site_url as do several other places in nearby code. The user ends up getting a redirect to /wp-login.php. That is, from the user's perspective (not seeing the reverse proxy activity), it looks like:

redirects to
which is a 404

From the WP server's perspective, it told
to redirect to
which would have been fine if there were no reverse proxy involved.

This is not the desired behavior in my case, and I would think it would be safe to redirect to
<site_url>/wp-login.php?<query string with key and login removed>

I can work around it in the main site's rewrite rules by forcing /wp-login to /blog/wp-login, but that seems as if it shouldn't be necessary.

Thanks for your consideration.

Change History (0)

Note: See TracTickets for help on using tickets.