key invalid in link password forgotten email

  • Resolved jornWidgets

    (@jornwidgets)


    9 years, 1 month ago

    We are having a problem with invalid keys in the links generated by WordPress which users receive after they request a new password when they have forgotten their password.

    User flow:
    A user has forgotten his password and clicks “Password forgotten?” and fills in their username. A mail is now send to the emailaddress of this user with a link they can use to create a new password. The mail is received and seems to have a well-formed link, however this link is not working as the key is deemed invalid when you use it (also after copy-pasting and whatnot).

    After going through the regular procedure with regards to bugs I found out that the issue seems to be with the All In One WP Security plugin because it worked again when the plugin was inactive and stopped working when it was activated.

    The login page has been renamed and the link in the forgotten password goes to the correct page, the problem is with the key that is deemed invalid for the username.

    P.S. We’ve had an earlier problem where the link was malformed (%38 injected in the link somehow, which was resolved after an update of the All in one Security Plugin).

    WordPress 4.2.1
    All In One WP Security 4.0.1

    https://www.ads-software.com/plugins/all-in-one-wp-security-and-firewall/

Viewing 10 replies - 1 through 10 (of 10 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Can you check the log files?

    Thread Starter jornWidgets

    (@jornwidgets)

    Thanks for your quick reply. I’ve checked the logs but they’re empty.

    I double-checked if the log file is writable but I saw something weird happening. When the file is not writable I get an error in the php.log, see below. When the file is writable the error in the php log is gone, but there still isn’t anything in the All-in-one log.

    [08-Oct-2015 07:48:17 UTC] PHP Warning: fopen(/data/www/public_html/web/wordpress/wp-content/plugins/all-in-one-wp-security-and-firewall/logs/wp-security-log.txt): failed to open stream: Permission denied in /data/www/public_html/web/wordpress/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-debug-logger.php on line 52

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Have you thought of updating WordPress to the latest version? Is this the first time you have this problem?

    Thread Starter jornWidgets

    (@jornwidgets)

    Thanks for the reply, I’ve updated the core of WordPress and the issue is now resolved. Thanks very much for your assistance, and apologies for wasting your time.

    Thread Starter jornWidgets

    (@jornwidgets)

    Sorry about this, but I spoke too soon.

    When clicking the link I now get a screen where I can create a new password so it looked like that was the solution. However, when I click the submit button there to save the new password I am still redirected to the same page which claims my key is invalid. The new login credentials won’t work after that, the old are still valid.

    I’ve again tried the same after deactivating the WP-All-in-one-Security plugin and then it works as it should.

    Any ideas?

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Can you disable all your other plugins except this one. Do you still get the same issue?

    Thread Starter jornWidgets

    (@jornwidgets)

    It took me some time to get the staging server updated but I think I have found the problem now. The issue didn’t exist on the staging server at all and the main difference between the production and staging server is the Varnish cache that’s running on the production, so after some more checking and rechecking I am almost certain the problem lies in the Varnish Cache on the production server.

    Thank you very much for your help and my apologies for wasting you time on this.

    Thread Starter jornWidgets

    (@jornwidgets)

    We’ve fixed the problem now and it also required a define('DONOTCACHEPAGE', true); in “wp-security-user-login.php” to make sure WP Super Cache doesn’t cache the login screen also.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    I am glad to hear ??

    Could you share in what line did you add the extra code? This could help someone else in the future with a similar problem.

    Thank you

    Thread Starter jornWidgets

    (@jornwidgets)

    Quite right!

    To force WP Super Cache to not cache the All-in-one-Security Plugins’ login page I’ve put the line below in the initialize() function on line 23 in “wp-security-user-login.php”.

    define('DONOTCACHEPAGE', true);

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘key invalid in link password forgotten email’ is closed to new replies.