Custom Login Url Causes 404 when Resetting Password

  • Resolved Mark Woodard

    (@woodardmc)


    2 years, 1 month ago

    Hello,

    We’ve added a custom login url to our site, but we get redirected to 404 pages when following the “forgot password” path. Specifically, just after submitting a new password.

    I’ve reproduced this by
    – Go to the custom login url at /lp-connect
    – Click the forgot password link
    – Submit a valid username
    – Follow the link given in the reset email
    – Enter a valid password in the password reset field
    – I get a 404 page instead of the reset success message
    – The password is not reset, the old password still works for logging in

    I did open up the plugin source code and added code that seemed to resolve the issue. This might point to my problem.
    I added the following code to the handle_login() function ~line 171 of /sg-security/core/Custom_Login_Url/Custom_Login_Url.php

    if ( ‘resetpass’ === $action ) {
    return;
    }

    After adding this code I was able to successfully reset my password.

    Any guidance or help on this issue would be greatly appreciated, thank you!

    The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support Dimitar Petrov

    (@demiro)

    Hey @woodardmc,

    Thank you for contacting us about the issue that you noticed. I have replicated and already reported it to our developers. The issue should be fixed in the next releases.

    Thank you for your cooperation.

    Best Regards,
    Dimitar Petrov

    Thread Starter Mark Woodard

    (@woodardmc)

    Hello,

    I saw the latest release from today had “improved support for custom login urls” so I think that might have been the fix you mentioned here.

    However, I tried the same steps I listed with the latest plugin update and still got a 404 page at the end.

    Was there going to be a different fix for this issue in a later release?

    Plugin Support Georgi Ganchev

    (@georgiganchev)

    Hello @woodardmc,

    The newest release of the plugin doesn’t address the issue that you reported.

    We have discussed the case with our developers and they provided further insight on the matter.

    There is a cookie added to the browser once the custom login URL is accessed. It is being checked upon the password reset process as well. So the user needs to open the password reset link from the same browser the password reset was requested. This way the link will be opened and the process will be completed without issues. Note that in order to log in with the new password you would still need to access the custom login URL.

    We have this as a security measure to avoid malicious requests towards default pages such as login/resetpass/register etc.

    If you have any additional questions, let us know.

    Best regards,
    Georgi Ganchev
    SiteGround.com Technical Support

    Thread Starter Mark Woodard

    (@woodardmc)

    I understand if it’s a security concern, but it really hurts us in terms of usability.

    We often have clients who need their password reset for one reason or another. We’d like to use the built in tools in the users admin area to send them a password reset link so they can move on with their day. This functionality is not supported by your plugin according to what you’re saying.

    It’s pretty cumbersome to instead ask them to go to the correct custom link and follow the forgot password path.

    Is there any way your plugin can work around this for password resets?
    From looking at the code in your plugin and testing, you already make an exception to that cookie for requests coming in to wp-login?rp. Why can’t you include an exception for wp-login?resetpass as well so the whole process will work?

    Mark

    Plugin Support Georgi Ganchev

    (@georgiganchev)

    @woodardmc,

    The plugin follows established security practices and for that reason, we cannot make an exception for wp-login.php?action=resetpass.

    We will consider your feedback and think of a way to help plugin users in a situation like the one described, but I cannot give you further details on when and if it will be introduced.

    Best regards,
    Georgi Ganchev
    SiteGround.com Technical Support

    Plugin Author Elena Chavdarova

    (@elenachavdarova)

    Hello @woodardmc,

    We have added rules for resetpass action in todays plugin release.

    You can verify the results on your end.

    Best Regards,
    Elena

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Custom Login Url Causes 404 when Resetting Password’ is closed to new replies.