Opened 4 months ago
Last modified 2 months ago
#58901 assigned enhancement
Flush 'user_activation_key' after successfully login
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 6.5 | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Login and Registration | Keywords: | has-patch has-unit-tests needs-testing needs-refresh |
| Focuses: | Cc: |
Description
Hi all,
Let's imagine the next steps:
- User goes to
{site_url}/wp-login.php?action=lostpasswordfor getting reset password link to its email.
- Then go to email and open the reset password link with an expiration time (
DAY_IN_SECONDSby default). It has been resolved a long time ago. But then he remembers his old password and login using a second web browser with its username and old password. At the same time, the link to reset the password remains active in the first browser for a whole day.
- If it's a public laptop anybody can use the reset password link and login with new credentials and make some hacker things.
Suggestions:
Flush the 'user_activation_key' after successful login:
wp-includes/user.php::line 113 before
do_action( 'wp_login', $user->user_login, $user );
Can be added this line:
global $wpdb;
$wpdb->update(
$wpdb->users,
array(
'user_activation_key' => '',
),
array( 'ID' => $user->ID )
);
Best Regards!
Attachments (1)
Change History (13)
This ticket was mentioned in PR #4899 on WordPress/wordpress-develop by @nsinelnikov.
4 months ago
#1
- Keywords has-patch added
This ticket was mentioned in PR #4914 on WordPress/wordpress-develop by @nsinelnikov.
4 months ago
#2
Flushing 'user_activation_key' after successful login
Trac ticket: https://core.trac.wordpress.org/ticket/58901
@nsinelnikov commented on PR #4899:
4 months ago
#3
The proper PR is here
#6
@
4 months ago
- Keywords needs-unit-tests added
- Owner set to rajinsharwar
- Status changed from new to assigned
I believe we will be needing unit tests for this.
#7
@
3 months ago
- Keywords has-unit-tests added; needs-unit-tests removed
Hi @nsinelnikov
I've added a patch that updates to clear the user_activation_key property from the user object and adds a test.
#8
follow-up:
↓ 9
@
3 months ago
- Keywords needs-testing added
I wonder if clean_user_cache( $user_id ) is a better way to clear the cache.
#9
in reply to:
↑ 8
@
3 months ago
Replying to oglekler:
I wonder if
clean_user_cache( $user_id )is a better way to clear the cache.
Hi @oglekler
If I'm not wrong, `clean_user_cache( $user_id ) just removes the cache for the user ID, login, nicename, email and meta but the link to reset the password will still be valid. That way, cleaning the user cache after a successful login doesn't seem to help in this case.
#10
@
2 months ago
- Keywords needs-refresh added
I was suggesting use clean_user_cache( $user_id ); instead of $user->__set( 'user_activation_key', '' );
I've tested the last patch, it works as expected, but I was unable to actually apply the patch, tests need a rebase.
This ticket was mentioned in Slack in #core by oglekler. View the logs.
2 months ago
#12
@
2 months ago
- Milestone changed from 6.4 to 6.5
In 58901.diff, directly invoking the __set() magic method is not preferred. And 'user_activation_key' is a dynamic property (i.e. undeclared property of WP_User) that is incompatible with PHP 8.2 and beyond.
I think this needs more consideration of how to reset the cached activation key. More test reports before and after would also be helpful.
Tomorrow being Beta 1. Moving it to 6.5 to give the ticket more time.
Flushing 'user_activation_key' after successful login
Trac ticket: https://core.trac.wordpress.org/ticket/58901