#58911 closed enhancement (worksforme)
Destroy logged in sessions after successfully password reset
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 6.3 |
| Component: | Login and Registration | Keywords: | has-patch close |
| Focuses: | Cc: |
Description
There is wp-login.php form popup if the session is expired in wp-admin. But for the frontend part there can be this enhancement:
- Go to
Browser Aand log in with your credentials.
- Go to
Browser B(it can be a public device) and log in with your credentials again.
- Go back to
Browser Aand change or reset your password.
- After a successful reset/change of a password in
Browser A, the session inBrowser Bshould be destroyed and the user should automatically be logged out.
Change History (3)
This ticket was mentioned in PR #4915 on WordPress/wordpress-develop by @nsinelnikov.
3 years ago
#1
- Keywords has-patch added
#2
@
3 years ago
- Keywords close added
- Resolution set to worksforme
- Status changed from new to closed
Hi @nsinelnikov, thanks for the Ticket. The user in Browser A will be forced to log in after the password reset is initiated from Browser B, even without the patch you attached. The reason is, we are checking if the password was changed or not, and then use the wp_clear_auth_cookie() function to reset any cookie related to authentication.
https://developer.wordpress.org/reference/functions/wp_clear_auth_cookie/
Your contribution is more than welcome. But, as this functionality is already in the core, I will be closing this ticket for now with the resolution of "worksforme"
Destroyed user's sessions using
WP_Session_Tokensclass.Trac ticket: https://core.trac.wordpress.org/ticket/58911