[buddypress-trac] [BuddyPress Trac] #7914: Possibilities of duplicate activation_key.

buddypress-trac noreply at wordpress.org
Wed Jul 4 14:03:47 UTC 2018

#7914: Possibilities of duplicate activation_key.
 Reporter:  singhleo      |      Owner:  (none)
     Type:  enhancement   |     Status:  new
 Priority:  omg pizza     |  Milestone:  Awaiting Review
Component:  Registration  |    Version:  3.0.0
 Severity:  normal        |   Keywords:
 In buddypress signup process we are generating activation_key using
 `wp_generate_password` function without checking previous generated keys
 existence in database.

 I know that string generated using wp_generate_password have very very
 less chance generating matching key. but still that is possible I think.

 Issue can be caused having if signup table have duplicate activation_key

 1. We only send user activation email appending in activation key in
 activation URL via email. Because of that activation key can activate
 another user account instead of one who is performing it activation.

 Some Solutions.

 1. By adding relation with signup_id or user email on activation link. and
 validation the activation_key in relation with user email or signup_id.
 2. Or Generating a unique activation_key by checking on db. (can be a
 heavy queries if signup has alot of data)
 3. Add Prefix of signup_id on activation_key generated by
 wp_generate_password(). activation_key field allow us to have 50 chars and
 wp_generate_password is generating 32 char length key, So I think it will
 be fine if we add prefix of signup_id to make it unique.


 File bp-members-functions.php line no 1697.

 Sorry for my english :).

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/7914>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list