[wp-trac] [WordPress Trac] #5990: Dance the password reset tango
WordPress Trac
wp-trac at lists.automattic.com
Mon Feb 25 07:21:19 GMT 2008
#5990: Dance the password reset tango
------------------------+---------------------------------------------------
Reporter: tellyworth | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.5
Component: General | Version:
Severity: normal | Keywords: has-patch
------------------------+---------------------------------------------------
Here's how it goes:
1. Start at wp-login.php?action=lostpassword, enter your username and
click Get New Password. user_activation_key is now key1.
2. Check your email. The key hasn't arrived yet.
3. Go back to the lostpassword page and click Get New Password again.
user_activation_key is now key2.
4. The first confirmation email arrives containing key1. Click - it
fails.
5. Go back to the lostpassword page and click Get New Password again.
user_activation_key is now key3
6. The second confirmation email arrives containing key2. Click - it
fails.
Repeat steps 5 and 6 and ad lib to fade.
The enclosed patch breaks the cycle by only generating a new
user_activation_key at step 1. When the password is successfully reset,
wp_set_password() will set user_activation_key to an empty string. If
multiple activation keys are requested before the password is successfully
reset (steps 3 and 5), the same key will be re-sent each time.
--
Ticket URL: <http://trac.wordpress.org/ticket/5990>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list