Make WordPress Core

Opened 10 months ago

Closed 10 months ago

Last modified 4 months ago

#58911 closed enhancement (worksforme)

Destroy logged in sessions after successfully password reset

Reported by: nsinelnikov's profile nsinelnikov Owned by:
Milestone: Priority: normal
Severity: normal Version: 6.3
Component: Login and Registration Keywords: has-patch close
Focuses: Cc:

Description

There is wp-login.php form popup if the session is expired in wp-admin. But for the frontend part there can be this enhancement:

  1. Go to Browser A and log in with your credentials.
  1. Go to Browser B (it can be a public device) and log in with your credentials again.
  1. Go back to Browser A and change or reset your password.
  1. After a successful reset/change of a password in Browser A, the session in Browser B should be destroyed and the user should automatically be logged out.

Change History (3)

This ticket was mentioned in PR #4915 on WordPress/wordpress-develop by @nsinelnikov.


10 months ago
#1

  • Keywords has-patch added

Destroyed user's sessions using WP_Session_Tokens class.

Trac ticket: https://core.trac.wordpress.org/ticket/58911

#2 @rajinsharwar
10 months ago

  • Keywords close added
  • Resolution set to worksforme
  • Status changed from new to closed

Hi @nsinelnikov, thanks for the Ticket. The user in Browser A will be forced to log in after the password reset is initiated from Browser B, even without the patch you attached. The reason is, we are checking if the password was changed or not, and then use the wp_clear_auth_cookie() function to reset any cookie related to authentication.
https://developer.wordpress.org/reference/functions/wp_clear_auth_cookie/

Your contribution is more than welcome. But, as this functionality is already in the core, I will be closing this ticket for now with the resolution of "worksforme"

#3 @swissspidy
4 months ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.