[wp-trac] [WordPress Trac] #58901: Flush 'user_activation_key' after successfully login

[WordPress Trac]

#58901: Flush 'user_activation_key' after successfully login
------------------------------------+-----------------------------
 Reporter:  nsinelnikov             |      Owner:  (none)
     Type:  enhancement             |     Status:  new
 Priority:  normal                  |  Milestone:  Awaiting Review
Component:  Login and Registration  |    Version:  trunk
 Severity:  normal                  |   Keywords:
  Focuses:                          |
------------------------------------+-----------------------------
 Hi all,

 Let's imagine the next steps:

 1. User goes to `{site_url}/wp-login.php?action=lostpassword` for getting
 reset password link to its email.

 2. Then go to email and open the reset password link with an expiration
 time (`DAY_IN_SECONDS` by default). It has been resolved
 [https://core.trac.wordpress.org/ticket/32429 a long time ago]. But then
 he remembers his old password and login using a second web browser with
 its username and old password. At the same time, the link to reset the
 password remains active in the first browser for a whole day.

 3. If it's a public laptop anybody can use the reset password link and
 login with new credentials and make some hacker things.

 **Suggestions:**

 Flush the 'user_activation_key' after successful login:

 wp-includes/user.php::line 113 before

 {{{
 do_action( 'wp_login', $user->user_login, $user );
 }}}

 Can be added this line:

 {{{
 global $wpdb;
 $wpdb->update(
     $wpdb->users,
     array(
         'user_activation_key' => '',
     ),
     array( 'ID' => $user->ID )
 );
 }}}

 Best Regards!

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/58901>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform