[wp-trac] [WordPress Trac] #60726: The WordPress core password reset needs to pre-populate the username to meet WCAG 2.2

WordPress Trac noreply at wordpress.org
Sun Jun 8 08:28:49 UTC 2025 

#60726: The WordPress core password reset needs to pre-populate the username to
meet WCAG 2.2
-----------------------------------------+--------------------------------
 Reporter:  estelaris                    |       Owner:  joedolson
     Type:  defect (bug)                 |      Status:  accepted
 Priority:  normal                       |   Milestone:  6.9
Component:  Login and Registration       |     Version:
 Severity:  normal                       |  Resolution:
 Keywords:  has-patch changes-requested  |     Focuses:  ui, accessibility
-----------------------------------------+--------------------------------

Comment (by lukasfritzedev):

 == Main requirements of implementation:

 * auto-populating the input `user_login` of the login form
 * preventing a user from bookmarking data containing their username (as
 mentioned in #comment:16)

 == How to implement this:

 **Case 2.** (Login after password reset) and **case 5.** (Login after
 requesting new password) could be implemented using a session cookie that
 stores just the login name (as suggested by @peterwilsoncc in
 #comment:16). As mentioned in #comment:8 the information that a user
 exists is not secret, so the username can be set as a cookie. I think
 there is no need for a redirect in these cases since the username is not
 encoded in the query parameters of the URLs at this point.

 The cookie should be removed, after the login is successful. As default
 expiration I’d suggest `0`, as it is done for the `wp-resetpass-*` cookie.

 @joedolson suggested to use
 [https://developer.wordpress.org/apis/transients/ transients] during the
 short discussion on contributor day. After checking the flows and
 considering the non-secret nature of the username, I think this is not
 necessary in these cases. I’m happy to reconsider this. Have I overlooked
 something?

 I think, the same approach can be used for case 1. (Login after
 installation) and case 4. (Restoring password after unsuccessful Login)

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/60726#comment:31>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list