Users go here https://gnoea.com/login/lost-password/ and type in their email address. They then receive the email from the plugin that says “click here to reset your password”. About 50-75% are being taken back to the initial “please insert email or username to reset password here” screen instead of the screen with the passwords fields to actually reset and log in. So it’s just an endless loop. When this happens the URL shows as https://gnoea.com/login/lost-password/?updated=invalidkey
Do you have any insight into why this would be happening? I am not sure why sometimes I do seem to be able to successfully reset a password and other times that error is happening. It is happening unreliably between different user roles as well.
]]>Also the WP function generates 4 hashes but only one is used so I think there must be a huge problem with the UM plugin according to the hash function from WP:
[23-Dec-2018 15:57:41 UTC] 1545580661:$P$BiLzjLuPDHwVtUlnLmEQE19D4UpgJf0
[23-Dec-2018 15:57:41 UTC] 1545580661:$P$BCAl/MTbiuCyqiix7310EOEn.eJlQz1
[23-Dec-2018 15:57:41 UTC] 1545580661:$P$BH0W.btK4hYFNDidKh.DA46KZhp5Ay.
[23-Dec-2018 15:57:41 UTC] Hash from mail: 1545580661:$P$BOzHQ9mIasqhbdYnkK0n.EXhGXBFyD0
[23-Dec-2018 15:57:41 UTC] 1545580661:$P$BGRg8guQBbhuNKdMCIDSweNUDKLG1v/
I don’t know how to fix this but I’ll try a bit and let u know when it works.
]]>The problem is that the key and hash pair generated by the {password_reset_link} action in the resetpw_email is pair number 3.
But after this pair another pair is created which has also a key and a hash. The problem is now, that the hash number 4 is saved to the database but the key from hash number 3 is sent via email to the member.
So the result is, that all keys are invalid because the key from pair 3 don’t matches the hash from pair 4 (which makes sense).
To clarify if this is the problem I would love if you can do following steps and paste your result into this question. This is what you need to do:
(Please don’t do this if you are new in programming!)
1. Open your wp-config.php and add following to the end of the file:
define( 'WP_DEBUG', true );
define( 'WP_DEBUG_LOG', true );
(This will generate a debug.log directly in the wp-content
folder of WordPress)
2. Go into the wp-includes
folder and open the file users.php
. Search for this line of code:
$hashed = time() . ':' . $wp_hasher->HashPassword( $key );
Add directly after this these 2 expressions:
error_log( 'Key from user.php: ' . $key );
error_log( 'Hash from user.php: ' . $hashed );
Save the file now and open the email templateresetpw_email.php
from UM. Remove now the {password_reset_link}
from the <a href="{password_reset_link}">
.
Now you need to add this here between the php
tags at the top of the file:
error_log('Reset link from email: ' . UM()->password()->reset_url() );
So now we are good to go. Save all and upload it to your server. Go now to your UM reset password page and to just one reset. When you got the message that the email was sent successfully, open the debug.log file in your wp-content
folder and paste the content here as an answer. We need to do this to check if it’s not just a problem on my side and a global one.
Undo now all what we did to remove the debugging from your page (We don’t need this anymore I think).
By the way I’m not a member from UM. I’m just a programmer and I’m very interested to solve this issue.
]]>[30-Dec-2018 14:04:52 UTC] require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), do_action('template_redirect'), WP_Hook->do_action, WP_Hook->apply_filters, um\core\Password->form_init, do_action('um_reset_password_process_hook'), WP_Hook->do_action, WP_Hook->apply_filters, um\core\Password->um_reset_password_process_hook, um\core\User->password_reset, get_password_reset_key
[30-Dec-2018 14:04:52 UTC] Hashed: 1546178692:$P$BJoSYtR913FSi..xNSAdZaC6RwqYVC1
[30-Dec-2018 14:04:52 UTC] Key saved: 1546178692:$P$BJoSYtR913FSi..xNSAdZaC6RwqYVC1
[30-Dec-2018 14:04:52 UTC] require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), do_action('template_redirect'), WP_Hook->do_action, WP_Hook->apply_filters, um\core\Password->form_init, do_action('um_reset_password_process_hook'), WP_Hook->do_action, WP_Hook->apply_filters, um\core\Password->um_reset_password_process_hook, um\core\User->password_reset, um\core\Mail->send, um_convert_tags, um_user, um\core\Password->reset_url, get_password_reset_key
[30-Dec-2018 14:04:52 UTC] Hashed: 1546178692:$P$B6/0iQI1Ke5KODTKihHCctTROvUorc.
[30-Dec-2018 14:04:52 UTC] Key saved: 1546178692:$P$B6/0iQI1Ke5KODTKihHCctTROvUorc.
[30-Dec-2018 14:04:52 UTC] require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), do_action('template_redirect'), WP_Hook->do_action, WP_Hook->apply_filters, um\core\Password->form_init, do_action('um_reset_password_process_hook'), WP_Hook->do_action, WP_Hook->apply_filters, um\core\Password->um_reset_password_process_hook, um\core\User->password_reset, um\core\Mail->send, um\core\Mail->prepare_template, um\core\Mail->get_email_template, include('/themes/enwikuna/ultimate-member/email/resetpw_email.php'), um\core\Password->reset_url, get_password_reset_key
[30-Dec-2018 14:04:52 UTC] Hashed: 1546178692:$P$BSQgzwcRgvKVaSbQ5U5uQ.YUHIHfoB.
[30-Dec-2018 14:04:52 UTC] Key saved: 1546178692:$P$BSQgzwcRgvKVaSbQ5U5uQ.YUHIHfoB.
[30-Dec-2018 14:04:52 UTC] Reset URL: https://www.enwikuna.de/passwort-zuruecksetzten/?act=reset_password&hash=6vjgRQfnvawpH5Ga6S8S&user_id=19
[30-Dec-2018 14:04:52 UTC] require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), do_action('template_redirect'), WP_Hook->do_action, WP_Hook->apply_filters, um\core\Password->form_init, do_action('um_reset_password_process_hook'), WP_Hook->do_action, WP_Hook->apply_filters, um\core\Password->um_reset_password_process_hook, um\core\User->password_reset, um\core\Mail->send, um\core\Mail->prepare_template, um_convert_tags, um_user, um\core\Password->reset_url, get_password_reset_key
[30-Dec-2018 14:04:52 UTC] Hashed: 1546178692:$P$Bw6cVAT69d34uzXkEf2uKAYf40Kwnm/
[30-Dec-2018 14:04:52 UTC] Key saved: 1546178692:$P$Bw6cVAT69d34uzXkEf2uKAYf40Kwnm/
]]>
//Apply CSS styles inline for picky email clients.
try {
$emogrifier = new Emogrifier( $message, $css );
$message = $emogrifier->emogrify();
} catch ( Exception $e ) {
$logger = wc_get_logger();
$logger->error( $e->getMessage(), array( 'source' => 'emogrifier' ) );
}
//Temporarily fix emogrified {} to ASCII code
$message = str_replace( array( '%7B', '%7D' ), array( '{', '}' ), $message );
The problem was that the Emogrifier turned the placeholder openings and closings back to it’s ASCII code so the UM was not able to replace it.
Because of this I’ve first replaced it with the function itself’s which is called from the placeholder. But the problem is that the placeholder is called anyway so the last hash was generated from the plugin trying to find the placeholder.
My wish is to remove the whole placeholder thing and call the function directly to get the reset link so that this can be used in custom templates too.
]]>