Still have the password reset invalid problem

What happens, exactly?

I always get the “Your password reset link appears to be invalid. Please request a new link below” error. I have WP Super Cache turned deactivated and my hosting (Inmotionhosting.com) states that they don’t have server caching on my sever.

If I enter my username or email again to request a new link that link works sending me to a page to reset the password… however there is only one password entry, not another one to confirm password.

@jeff
Any idea how to fix this?

I have some info that may help solve it…

Here is the first link that is sent and gives you the invalid key error:
###############/resetpass/?key=b6rzItJHWllZ1lAC5eK1&login

When you request a new link from that page saying it is invalid you get this link:
###############/resetpass/?key=Dp53Ja4mYUtM3o1YE963&login=troy

This second link works good. Notice that the end of this the key is the username which some how makes it valid. How can this happen on the first link sent.
(I hassed out the URL for security)

Thanks,
Troy

Server side caching is typically the only thing that causes this behavior. Also, when it does work, you only see one field because that’s how the process works now – and has for some time.

I will check again with my hosting about the caching, but they have assured me that there is none as I’m on shared hosting. Any other possibilities that might be causing this?
Something to look for in the theme??

I thought that there was a confirm password field by default. It there a way to put in a confirm password field?

I have confirmed with my host that there is NO server side caching.
When I disable the TML plugin the password reset works. When TML is enabled I get the invalid link error and the link in the email is as described above… missing the =user at the end.

Jeff,
After lots more testing I have found that this issue happens with the enable custom email module. If I have the module enabled but don’t enter anything into the email fields (as stated it leaves them as default) the link is sent out and works. So the module can be enabled and everything is OK. The error happens when you enter any new data into the custom email fields. If you do, you get the error.

Hope this may help in solving a bug that is clearly in the email module.

The plugin is great and I am continuing to use it, just not able to have custom emails.

Troy

I will look into it – thanks.

I have exactly the same issue. The difference is that “custom email” module does not resolve the issue for me.
I have been debuggin and the problem where issue arises is in class-theme-my-login.php around line 371.

if ( isset( $_GET['key'] ) ) {
  $value = sprintf( '%s:%s', wp_unslash( $_GET['login'] ), wp_unslash( $_GET['key'] ) );
  setcookie( $rp_cookie, $value, 0, '/', COOKIE_DOMAIN, is_ssl(), true );
  wp_safe_redirect( remove_query_arg( array( 'key', 'login' ) ) );
  exit;
}

It seems that wp_safe_redirect and exit are last functions executed and the rest part of the code is never executed:

if ( isset( $_COOKIE[ $rp_cookie ] ) && 0 < strpos( $_COOKIE[ $rp_cookie ], ':' ) ) {

Looks like under some conditions wp_safe_redirect is not executed or something else. I have tried to change it ot wp_redirect but it does not help. For me it looks strange that you have to put login and key into cookie and make a redirect to same page and then read those variable from cookies again. Maybe it is a security concern, but it seems it has few issues in certain configurations.

P.S. Hosting caching is disabled. Using wpengine.

Any ideas.

Very strange this is that via wp-login.php?action=lostpassword everything works like a charm. Even though the code on line ~371 is almost identical copy paste from wp-login.php…

Any news on this @jeff?
I see it was marked resolved. Will there me an update forthcoming?

Also wpengine, turned off all caching – with exception of HyperDB required by wpengine.

There are no other plugins running and we still get the invalidkey error message. Deactivaste TML, and WordPress native lostpassword is working.

It would be more correct if author has removed [resolved] tag as it is misleading.

Jeff,
Also, if it helps I am using Paid Memberships Pro for my users to create an account. Not sure this has anything to do with it but perhaps it can help in trouble shooting. Again, with the your custom email module deactivated it works fine. When activated it doesn’t.

Thanks,
Troy