Password Reset Issue

So the issue is clicking the link in gmail does not work due to intranet security? Wouldn’t someone be able to copy/paste the link in the email into their browser and then be able to enter their new password? If so, the link URL in essence becomes your “code” that is input in the browser address field instead of a form field. Changing the email instructions to “Paste this URL into your browser’s address field” is relatively simple compared to putting up a custom reset code scheme.

Ha well, I’ve tried to do that but it doesn’t work. Because we literally have a menu of accessible website that we can choose from a menu (sounds like a prison right, but thank god we have more than 4000 websites, so as claimed). That being said, our chrome is literally just a browser with no address bar =D

I understand the need for organizations to enforce serious security measures. It’s frustrating, and if everyone could reliably use the Internet responsibly, it wouldn’t be necessary. As we all know, irresponsible use happens, so all we get stuck with horrible constraints due to the few clueless users.

You can put up a page that contains a form in which users can input the hexadecimal nonce added to the end of the link in the email. The form can use that to submit to the same destination as the original link. If the form field’s name matches the link’s query var, WP will see the form submittal the same way as a clicked link in an email and will serve the usual password change dialog.

The email can be altered to make it more clear what the proper value to input is.

Hi bcworkz,
So far I’m following, and I understand the logic behind it. The question now becomes: How do I execute it..?

Ok I just checked through the almanac and found the page describing nonce. I will read and try to execute you’ve mentioned from there. If I failed I think I might post another support question. I will mark the question as resolved for now since mod has actually answered my question (and it was my lack of skills holding it back lol). Thanks mod!

Happy to help ??

In case it helps some, an example. The link sent in the default password reset email looks something like this:
example.com/wp-login.php?action=rp&key=cfh7GDujItqaf7doX9Sd&login=bcworkz

The character string value for “key” is what we are interested in. While it serves as a nonce of sorts, it’s not a WP hexadecimal nonce like I was thinking, it’s actually a hashed value. Sorry for any confusion, I haven’t reset my password through this mechanism in a long time.

You can use the “retrieve_password_message” filter to alter the email message sent to users. Besides passing the default message to your filter callback, this key, the user login name, and other data is passed. Return your custom message telling users to copy/paste the key into the custom form on the site.

The custom form collects login name and key value from the user and uses the data to reconstruct the above link. By redirecting to that reconstructed link, WP will put up its usual password reset form. It will only do so with a correct key, which will expire in a day or two.

I hope this helps get you on your way to a solution. Happy coding!