WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

#5990 closed defect (bug) (fixed)

Dance the password reset tango

Reported by: tellyworth Owned by:
Milestone: 2.5 Priority: normal
Severity: normal Version:
Component: General Keywords: has-patch
Focuses: Cc:

Description

Here's how it goes:

  1. Start at wp-login.php?action=lostpassword, enter your username and click Get New Password. user_activation_key is now key1.
  1. Check your email. The key hasn't arrived yet.
  1. Go back to the lostpassword page and click Get New Password again. user_activation_key is now key2.
  1. The first confirmation email arrives containing key1. Click - it fails.
  1. Go back to the lostpassword page and click Get New Password again. user_activation_key is now key3
  1. The second confirmation email arrives containing key2. Click - it fails.

Repeat steps 5 and 6 and ad lib to fade.

The enclosed patch breaks the cycle by only generating a new user_activation_key at step 1. When the password is successfully reset, wp_set_password() will set user_activation_key to an empty string. If multiple activation keys are requested before the password is successfully reset (steps 3 and 5), the same key will be re-sent each time.

Attachments (1)

password-reset-fix-r7013.patch (1.1 KB) - added by tellyworth 7 years ago.

Download all attachments as: .zip

Change History (2)

comment:1 @ryan7 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [7015]) Create password reset key only once. Props tellyworth. fixes #5990

Note: See TracTickets for help on using tickets.