Make WordPress Core

Opened 12 months ago

Last modified 12 months ago

#58427 new defect (bug)

Retain existing user session when changing password

Reported by: dd32's profile dd32 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.0
Component: Users Keywords: dev-feedback 2nd-opinion has-patch
Focuses: Cc:

Description

When a user changes their password, their existing user session is ignored and a new session is started.

This happens due to wp_update_user() not passing the current session token to wp_set_auth_cookie().

https://github.com/WordPress/wordpress-develop/blob/e82251df5bd59fb4327d0b0aa7a57ade20fe97c2/src/wp-includes/user.php#L2717-L2735

This can cause problems for some plugins which use the attach_session_information hook, or, which add additional information to the current session through WP_Session_Manager::update().

Other issues that occur is when the password is updated through the rest api, is that a new session will be created, but the response (and rest of the rest api processing) will be operating with the old session token, as that's what's set in $_COOKIE. So if any user fields in the rest-api response are reliant upon a piece of session metadata, it'll be incorrect for the following HTTP requests from the user.

The workaround for plugins is to hook to attach_session_information and when a new session is being created for the current user, copy the current sessions metadata over to the new session. This is less than ideal, as it's not clear that the new session is definitely the same as the clients session (ie. The newly created session might not come from wp_set_auth_cookie() and might be a new session created for another purpose).

PR attached, which retains the existing session when changing the password.

Change History (2)

This ticket was mentioned in PR #4522 on WordPress/wordpress-develop by @dd32.


12 months ago
#1

  • Keywords has-patch added

#2 @dd32
12 months ago

This also causes the Not logged in anywhere else to change to You can log out everywhere else, and stay logged in here. on the profile screen - suggesting that the user is still logged in elsewhere.

An example of that is included in this screen recording: https://github.com/WordPress/two-factor/issues/573

Last edited 12 months ago by dd32 (previous) (diff)
Note: See TracTickets for help on using tickets.