Expired password reset Key ?

This has been a known but minor issue for a little while. Up until now, in the development setups it all works smoothly, so I had not been able to isolate exactly what was going on.

However, just today, working with a user who is a premium support subscriber, I was able to pin it down – at least insofar as knowing “what” is happening – I still haven’t figured out the exact “why,” although I have a good idea what that is.

When the key is used to retrieve the user ID, it should be a unique value. Unfortunately (and leaving out some specifics here for sake of space), there are instances where that isn’t happening – there are multiple users with the same generated key. I’m fairly certain the cause is object caching.

So what happens is that the process queries only for the first result, assuming it’s unique that should return the correct user. But in these error situations, it’s returning a different user, who would of course have a different timestamp for the key, hence the expiration notice.

I had planned some changes to this process anyway, because I need to make some changes for tighter integration when other plugins are also used that rely on WP’s user processes. Since correcting this problem requires some digging into the process, it seems now would be the time to implement those changes.

For the time being, you can deactivate the setting for the feature and use the old password reset. The new process I should have complete and tested before the end of the week (hopefully in the next day or so) and will post it as an available patch file (the whole process is already contained in a single file, so patching it will be as simple as replacing that file). Then it will be incorporated into the next available update.

The patch will be announced on the premium support site’s blog feed (https://rocketgeek.com/blog/) which also displays in the sidebar of the plugin’s main options panel, so when it’s out, you will be notified that way.

Thanks for getting back to me on this issue.
It’s been a bit of a problem to say the least.

Looking forward to the reworked plugin.

Haven’t announced via the site yet, but a potential patch is now available here:
https://gist.github.com/rocketgeek/4d5c6587b1c0e93a3e9ee519b060d9ff

Replace wp-members/includes/class-wp-members-pwd-reset.php with the gist above.

There may be some additional adjustments made, but for the most part, this resolves in the official testing environment and on some user sites I have applied it to already.

Excellent job Chad. Fixed my problems and now no mo0ans from our subscribers.
Genius programmer.
Thanks.

@cbutlerjr
Since the latest update to version 3.3.8, there is a problem that a link is sent for “Forgot password”, but it does not work if there is a space in the username. the link then looks something like this:
“https://<domain.name>/password-forgotten/?a=set_password_from_key&key=<xxxxxxx>&login=user name”.
The space in the name is not included in the hyperlink. If the user clicks on this link, he receives the following error message:
“Sorry, no password reset key was found. Please check your email and try again.”
If the hyperlink is entered manually in the browser completely, i.e. with the space, the reset works.

This is an automatic translation from german to english, because my english is not very good.

• This reply was modified 4 years, 2 months ago by nbahnfreunde.