Expired password reset key issue

  • hillslope

    (@hillslope)


    11 years ago

    Running 3.7.1 and when my users try to reset their password they are getting the expired link to reset the password. All updates are current, but this issue has only been reported since the recent update went through. I have notification emails about password resets the day before the update (28th), but none since.
    I have tested this, and the same reset key is being supplied for all password reset attempts – different users, browsers – same result. So it appears the system is not creating new keys for resets- just sending the same old expired one.
    Have deactivated all plugins that might work on password/user to test and it has made no difference.
    Any other options? Have a site with a lot of users sending this issue.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Manish Bhatia

    (@manishbhatias)

    Hi,

    I had the same issue on my site. On debugging, I found out that WordPress has changed how the key is generated and stored.

    You must be using a plugin which hooks into retrieve_password action and does the key generation such as a custom reset password email plugin, or login page theme.

    Millen

    (@millen)

    Hi hillslope and manishbhatias!

    Have you had any luck solving this problem yet?

    I have exactly the same problem after I updated to 3.7.1 the password reset link received in the email is expired as soon as it is created.

    Thread Starter hillslope

    (@hillslope)

    Has taken me a while to find the cause, but for me it appears that the Redrokk login widget was the one for me. Others have found other plugins, and the only way is to disable plugins that do as manishbhatias has identified, then test the reset.

    I wish I had seen your post first manishbhatias, would have made it a bit quicker to trace.

    Search for previous support posts on this issue – might find other plugins causing the issue.

    “You must be using a plugin which hooks into retrieve_password action and does the key generation such as a custom reset password email plugin, or login page theme.”

    There has to be an error with my login/forgotten page than.

    What should I hook into now, after the change in WordPress 3.7.1+ ?

    Thread Starter hillslope

    (@hillslope)

    The default WordPress login page does not seem to cause this issue. It is only from a plugin that provides a different login theme. Maybe try installing 3.8 and see what happens if the plugin disabling does not change it.

    The hook has not changed. WordPress has changed the way the key is generated and saved to database in retrieve_password function.

    I believe you are using a custom theme.

    Basically
    1) search for a function which hooks on retrieve_password in your theme files

    2) change it to use the new phppass class to hash the key before saving it in database.

    If you can provide the code for the hook, I can help in step2 above regarding changes that need to be made?

    Thanks

    Member password_reset?
    Of course every member wants to set their own password created with multiple obscure sequences of letters(upper and lower case) numbers(plus symbols) rather than using only the one assigned by the current process.
    When will that be workable?
    Thanks
    donlesterthompson
    [email protected]

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Expired password reset key issue’ is closed to new replies.