Ticket #5990 (closed defect: fixed)

Opened 9 months ago

Last modified 9 months ago

Dance the password reset tango

Reported by: tellyworth Assigned to: anonymous
Priority: normal Milestone: 2.5
Component: General Version:
Severity: normal Keywords: has-patch
Cc:

Description

Here's how it goes:

1. Start at wp-login.php?action=lostpassword, enter your username and click Get New Password. user_activation_key is now key1.

2. Check your email. The key hasn't arrived yet.

3. Go back to the lostpassword page and click Get New Password again. user_activation_key is now key2.

4. The first confirmation email arrives containing key1. Click - it fails.

5. Go back to the lostpassword page and click Get New Password again. user_activation_key is now key3

6. The second confirmation email arrives containing key2. Click - it fails.

Repeat steps 5 and 6 and ad lib to fade.

The enclosed patch breaks the cycle by only generating a new user_activation_key at step 1. When the password is successfully reset, wp_set_password() will set user_activation_key to an empty string. If multiple activation keys are requested before the password is successfully reset (steps 3 and 5), the same key will be re-sent each time.

Attachments

password-reset-fix-r7013.patch (1.1 kB) - added by tellyworth on 02/25/08 07:21:38.

Change History

02/25/08 07:21:38 changed by tellyworth

  • attachment password-reset-fix-r7013.patch added.

02/25/08 07:34:25 changed by ryan

  • status changed from new to closed.
  • resolution set to fixed.

(In [7015]) Create password reset key only once. Props tellyworth. fixes #5990