password reset link appears to be invalid error

Thats a tough one. That shouldnt happen if you really disabled all plugins and use a default theme – did you remember to remove mu-plugins?

What I would do is download latest WP and copy the wp-config.php over. If that doesnt work, you’re in trouble. Of course keep your previous version of WP as backup.

thanks for your reply. Yes the MU plugin directory has been renamed, there are zero plugins showing from wp-admin.

I just recreated the wp-config.php from the sample, using the bare minimum config and new salts and I still have the exact same error when attempting password reset unfortunately.

thanks Andy.

Andy –
What I recommend is to download a fresh copy of WP. In case you corrupted yours. I would rename the existing WP directory. Download a fresh copy in the same folder as the previous WP. Copy over wp-config.php and .htaccess.

Hi,

ok, so I’ve taken a tar.gz of the WordPress 4.7.3 and I’ve moved the original WordPress directory and replaced it with the fresh WordPress and all I’ve done is moved over the wp-config.php. I forgot to mention, this installation is Nginx + PHP FPM so there’s no .htaccess.
So after all that, I still have the exact same error. Unless its a bug, that would only seem to leave my wp-config.php and Nginx config as possible cuplrits? Should I post those in full here?

thanks, Andy.

> I forgot to mention, this installation is Nginx + PHP FPM so there’s no .htaccess
Then how did you implement .htaccess rules? How did you translate the .htaccess rules to nginx rules? IMO, that is probably the problem (nginx configuration). But I am not sure why only the reset password is affected; and what exactly is the cause.

Can you tell me how users initiate lost password? Do they hit the url https://domain.com/wp-login.php?action=lostpassword

So far this tells me that it isnt a WP problem. Its pointing to a configuration issue

Yep, so the password reset is requested from

https://domain.com/wp-login.php?action=lostpassword

the email has a link similar to:

https://domain.com/wp-login.php?action=rp&key=7T2V5y5W44j0KOBGylCb&login=andytest

and as soon as you access the above link you are redirected to

https://domain.com/wp-login.php?action=lostpassword&error=invalidkey

Hi,

I’ve just installed Apache 2.4.7 and I get exactly the same error ??

thanks, Andy.

• Has lost password ever worked?
• Have you changed anything recently? Especially WRT ssl

lostpassword is working correctly. Action rp (resetpassword) is generating an error. If you click on the email rp link this is what should happen in the browser:
https://domain.com/wp-login.php?action=rp&key=7T2V5y5W44j0KOBGylCb&login=andytest
redirects to https://domain.com/wp-login.php?action=rp
redirects to https://domain.com/wp-login.php?action=lostpassword&error=invalidkey

Many things could create that error. Server configuration: ssl, cookies… others but hard to determine.

Hi,

I haven’t personally used this type of password reset ever. I assume its worked in the past as no one has ever complained before.
The site I’m testing against is HTTP, so no SSL. Server config is now default Apache 2.4 install, htaccess as mandated by WordPress. Wp-config.php also contains default settings plus what wp-admin instructs me to add.

any suggestions of what else I can test or try?

thanks, Andy.

I have a newish WP 4.7.3 system and lostpassword/resetpassword works.

Are you a developer? I can tell you the problem area to debug is wp-login.php line 567 – 590. My guess is its failing on line 578 check_password_reset_key() but only you can determine that.

I’m a sys admin who can program in shell and perl, have hacked at PHP a bit from time to time but basically a novice. Also I’m pretty familiar with WordPress’s DB and have done quite a lot of stuff direct to the DB on multisite installs, but probably that won’t help me much here!

I’m able to see that I’m hitting the problem at line 503 if ( 'invalidkey' == $_GET['error'] ) but I’m unsure where the $_GET error bit is coming from.

Im continuing to read through the code but any hints or tips would be welcome ??

thanks, Andy.

Debugging can get quite involved. Email me directly

• This reply was modified 7 years, 7 months ago by jkhongusc.

I had the exact same problem when I switched to NGINX, the website I use is Multisite and registration is handled through subdomain site. So I switched this subdomain to Apache and left Nginx to serve only static files. That fixed the problem.

Thanks for the info. As mentioned in the thread, I’m now testing against Apache (on another system) to simplify the troubleshooting, however I still have the same problem.

One weird thing I’ve just noticed is that it seems I cannot logout, after doing a logout and being told I’m logged out I am actually still logged in and can access wp-admin. The only way I can really log out is clearing my local cookies. So seems like something bad is happening with sessions on the server. I actually don’t see any files in the PHP session.save_path “/var/lib/php5/sessions”. Incidentally on the live server I’m using memcache and also see this issue

• This reply was modified 7 years, 7 months ago by andyldex.

Hi all,

I’ve now resolved this issue, on both my test system (Apache + mod PHP) and live (Nginx + PHP FPM). The issue in the end was WordPress was generating a wrong COOKIEHASH which was due to it failing to get anything from $siteurl = get_site_option( 'siteurl' ) in default-constants.php. And this in turn was due to a missing entry for “siteurl” in wp_sitemeta. Once I manually added the entry into wp_sitemeta everything started to work as expected.
Many thanks to James (jkhongusc) for helping me out on this, much appreciated!

Andy.