Reset password link not working

    • thibaut
      Participant
      # 2 years, 11 months ago

      The link to reset my password is redirecting directly to

      members-area/forgot-password/?error=expiredkey

      when the key cannot be expired as I just requested it !

    • thibaut
      Participant
      # 2 years, 11 months ago

      I found the issue in your code:

      in the file customer-area-login-form/src/php/wp-login-helper.class.php

      starting line 77 should be changed to this :

                  $key = $wpdb->get_var($wpdb->prepare("SELECT user_activation_key FROM $wpdb->users WHERE user_login = %s", $user_login));
                  //if (empty($key))
                  //{
                      // Generate something random for a key...
                      $key = wp_generate_password(20, false);
                      do_action('retrieve_password_key', $user_login, $key);
      
                      // Now insert the new md5 key into the db
                      $wpdb->update($wpdb->users, array('user_activation_key' => time() . ':'. $key), array('user_login' => $user_login));
                  //}

      First you should always regenerate the activation key on demand, second the time() needs to be added in front of the key in the DB separated by “:” in order to allow expiration and verification.

      pleaseĀ  correct this ASAP

      • thibaut
        Participant
        # 2 years, 11 months ago

        I updated the code to use wordpress’ secure hash instead, this is working fully

        $key = $wpdb->get_var($wpdb->prepare("SELECT user_activation_key FROM $wpdb->users WHERE user_login = %s", $user_login));
                    //if (empty($key))
                    //{
                        // Generate something random for a key...
                        $key = wp_generate_password(20, false);
                        do_action('retrieve_password_key', $user_login, $key);
        
                        global $wp_hasher;
                        // Now insert the key, hashed, into the DB.
                        if ( empty( $wp_hasher ) ) {
                            require_once ABSPATH . WPINC . '/class-phpass.php';
                            $wp_hasher = new PasswordHash( 8, true );
                        }
        
                        $hashed = time() . ':' . $wp_hasher->HashPassword( $key );
        
                        // Now insert the new md5 key into the db
                        $wpdb->update($wpdb->users, array('user_activation_key' => $hashed), array('user_login' => $user_login));
                    //}
    • Vincent Mimoun-Prat
      Participant
      # 2 years, 11 months ago

      Hi

      We already have a fix pending a release for that issue. Yes, we needed something like that as well as an update when checking the key too.

      We will release the fix soon.

      Regards

Viewing 2 reply threads

The topic ‘Reset password link not working’ is closed to new replies.