Opened 9 years ago
Closed 9 years ago
#6637 closed defect (bug) (worksforme)
Lost Password issue, always errors with 'expiredkey'
Reported by: | 16hands | Owned by: | |
---|---|---|---|
Milestone: | Priority: | high | |
Severity: | normal | Version: | 2.3.3 |
Component: | Core | Keywords: | reporter-feedback |
Cc: | ben@… |
Description
This is issue was discussed here:
https://buddypress.org/support/topic/lost-password-not-working/
We have a large community site with about 10,000 members, when we upgrade to Wordpress 4.3 and BuddyPress to suit we noticed members had an issue with resetting their password.
The reset email is sent to the member:
Someone requested that the password be reset for the following account:
Username: carlbowden2
If this was a mistake, just ignore this email and nothing will happen.
To reset your password, visit the following address:
<http://bounty.co.nz/resetpass?key=N1aPjwW3c79LXEKfKHYR&login=carlbowden2>
but the link "http://bounty.co.nz/resetpass?key=N1aPjwW3c79LXEKfKHYR&login=carlbowden2" is redirected to:
http://bounty.co.nz/lostpassword?error=expiredkey
This happens even when there is only a few minutes between the email being sent and the link being clicked, we have checked that the server time and local are correct, it happens on new and old accounts alike, and it happens for anyone who requests a reset
Thank your for the great work
kind regards
Carl.
Hi 16hands - Thanks for the report.
I'm unable to reproduce the 'expiredkey' problem on a stock installation, though I know that this functionality changed in WP 4.3, so I believe that there's a real problem here.
I'm a bit perplexed by the URL of the password reset:
resetpass
. WordPress doesn't use this kind of URL for password resets. Are you using a plugin that customizes your login process somehow? It appears that the Theme My Login plugin, among others, may use theresetpass
token.I'm guessing that WordPress is expiring the key after a redirect, and that the redirect is being performed by a separate plugin.