WordPress.org

Ready to get started?Download WordPress

Forums

Updating wp.user password logs out user (3 posts)

  1. Netcore
    Member
    Posted 3 years ago #

    Hello good people,

    I've been working with WP for a few months now and have been working with PHP & MySQL for quite a few years. I received a job from a client that was done by another coder and he wasn't really satisfied with the work (my client). As most people know unless a coder sticks to some normal standards it gets quite difficult to read another man's code...

    Anyway, after making the adjustments my client wanted I was left with one problem that I haven't been able to solve.

    Situation: There's a login panel on the front of the website that uses the WP login. If you enter the wrong password it will send you to wp-login.php with an error message.

    If you login succesfully you arrive on the 'front-end' of the website with an admin panel that was created.

    Problem: When I go to edit the users password and hit submit, it will change the password and then log me out.

    The Code: Here's the code that the first guy who had this assignment wrote to update the password in the DB:

    global $wpdb;
    $password = $_POST['wachtwoord'];
    $md5password = wp_hash_password($password);
    
    $profile_id = $_POST['prof_id'];
    $wpdb->query("UPDATE <code>wp_users</code> SET <code>user_login</code> = '".$_POST['log_name']."', <code>user_pass</code> = '{$md5password}' WHERE <code>ID</code> = '" . $profile_id . "'");

    I've also tried using wp_update_user but that has the same result.

    I've tried tracking down how it's done in the WP-admin side of it, but I got a bit lost in the code of WP itself. I figured I would see if anybody here's got a clue as to why it's happening and most importantly: if and how I can fix this?

    Thanks very much!

    Regards,
    Fons

  2. Xephan
    Member
    Posted 3 years ago #

    You shouldn't try to "fix" this.

    It's good security practice to force log out the account when the password is changed, especially since WordPress allows concurrent logins.

    This ensures that whoever else logs in after that is really the authorized user and not somebody who obtained the previous password. Of course it doesn't help if the person changing the password is the unauthorized person :D

  3. Aaron Forgue
    Member
    Posted 3 years ago #

    Netcore,
    We ran into a similar issue. Here's an actual solution to your question, rather than a lecture on best practices.

    global $wpdb;
    
    $profile_id = $_POST['prof_id'];
    $username = $_POST['log_name'];
    $password = $_POST['wachtwoord'];
    $md5password = wp_hash_password($password);
    
    // You may want to use $wpdb->prepare() here. As it stands, malicous code could be passed in via $_POST['prof_id'] or $_POST['log_name']
    $wpdb->query("UPDATE <code>wp_users</code> SET <code>user_login</code> = '".$username."', <code>user_pass</code> = '{$md5password}' WHERE <code>ID</code> = '" . $profile_id . "'");
    
    // Here is the magic:
    wp_cache_delete($profile_id, 'users');
    wp_cache_delete($username, 'userlogins'); // This might be an issue for how you are doing it. Presumably you'd need to run this for the ORIGINAL user login name, not the new one.
    wp_logout();
    wp_signon(array('user_login' => $username, 'user_password' => $password));

    Credits go to this plugin for the above trick: http://wordpress.org/extend/plugins/change-password-e-mail/

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.