Retain existing user session when changing password

[dd32]

When a user changes their password, their existing user session is ignored and a new session is started.

This happens due to wp_update_user() not passing the current session token to wp_set_auth_cookie().

​https://github.com/WordPress/wordpress-develop/blob/e82251df5bd59fb4327d0b0aa7a57ade20fe97c2/src/wp-includes/user.php#L2717-L2735

This can cause problems for some plugins which use the attach_session_information hook, or, which add additional information to the current session through WP_Session_Manager::update().

Other issues that occur is when the password is updated through the rest api, is that a new session will be created, but the response (and rest of the rest api processing) will be operating with the old session token, as that's what's set in $_COOKIE. So if any user fields in the rest-api response are reliant upon a piece of session metadata, it'll be incorrect for the following HTTP requests from the user.

The workaround for plugins is to hook to attach_session_information and when a new session is being created for the current user, copy the current sessions metadata over to the new session. This is less than ideal, as it's not clear that the new session is definitely the same as the clients session (ie. The newly created session might not come from wp_set_auth_cookie() and might be a new session created for another purpose).

PR attached, which retains the existing session when changing the password.

Trac ticket: https://core.trac.wordpress.org/ticket/58427

[dd32]

This also causes the Not logged in anywhere else to change to You can log out everywhere else, and stay logged in here. on the profile screen - suggesting that the user is still logged in elsewhere.

An example of that is included in this screen recording: ​https://github.com/WordPress/two-factor/issues/573