Lost your password

Resolved jmelhus@gmail.com
(@jmelhusgmailcom)

10 years, 1 month ago

Hi,

I believe there is an issue with the function ‘Lost your password?’ of Sexy Login and WordPress 3.8. What happens is that I can ‘reset’ my password, but receive the same key in the url all the time, and wordpress tells me the key is invalid. Could you please look into this to see if this is just an issue I see, or if its’ a general combination of Sexy Login and the latest WordPress.

Thanks!

https://wordpress.org/plugins/sexy-login/

Viewing 3 replies - 1 through 3 (of 3 total)

Thread Starter

jmelhus@gmail.com

(@jmelhusgmailcom)

10 years, 1 month ago

Hi again,

I looked further into it. Had a peek into wp-login.php in WordPress 3.8.

In Sexy Login ajax.php I exchanged this code:

$key	= $wpdb->get_var($wpdb->prepare("SELECT user_activation_key FROM $wpdb->users WHERE user_login = %s", $user_login));

if ( empty($key) ) {
	// Generate something random for a key...
	$key = wp_generate_password(20, false);
	do_action('retrieve_password_key', $user_login, $key);
	// Now insert the new md5 key into the db
	$wpdb->update($wpdb->users, array('user_activation_key' => $key), array('user_login' => $user_login));
}

With this code (from wp-login.php):

$key = wp_generate_password( 20, false );

/**
 * Fires when a password reset key is generated.
 *
 * @since 2.5.0
 *
 * @param string $user_login The username for the user.
 * @param string $key        The generated password reset key.
 */
do_action( 'retrieve_password_key', $user_login, $key );

// Now insert the key, hashed, into the DB.
if ( empty( $wp_hasher ) ) {
	require_once ABSPATH . 'wp-includes/class-phpass.php';
	$wp_hasher = new PasswordHash( 8, true );
}
$hashed = $wp_hasher->HashPassword( $key );
$wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) );

Would appreciate your view on this code alteration…

Thanks!