Opened 9 years ago
Closed 6 years ago
#21314 closed enhancement (duplicate)
Add password reset key expiration
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | minor | Version: | 3.4.1 |
| Component: | Users | Keywords: | has-patch needs-testing needs-refresh |
| Focuses: | Cc: |
Description
Password reset using correct user_activation_key is currently possible forever.
Attached is a patch which clears newly created user_activation_key after one week.
Attachments (2)
Change History (8)
#2
@
7 years ago
- Keywords needs-testing needs-refresh added
- Milestone changed from Awaiting Review to Future Release
#3
@
7 years ago
I was thinking that a cron job might not be the best approach, as it depends entirely on there being traffic to the site to fire the code. I'm not sure whether a request to actually reset the password would cause the cron to clean up old keys to fire or not. I put together a different concept that sets a timestamp in usermeta on reset request, checks it when the reset link is visited, and deletes it to clean up upon successful login. I'm not sold on my approach but thought I'd put it out there for consideration alongside the other proposal.
#4
follow-up:
↓ 5
@
7 years ago
Just tossing this idea out there, what about expiring the reset link upon successful login instead/as well?
#5
in reply to:
↑ 4
@
7 years ago
Replying to hypertextranch:
Just tossing this idea out there, what about expiring the reset link upon successful login instead/as well?
Yep, that happens with my patch because we delete the usermeta on login, and the reset link bails if the meta is empty, which it will be after login.
This seems sane to me. Better than having activation keys hanging out in the wild. Definitely worth discussing for the future.
Can we use
wp_update_user()for this rather than the direct query?