[wp-trac] [WordPress Trac] #38769: Bugs in wp-login.php

WordPress Trac noreply at wordpress.org
Sat Nov 12 13:11:50 UTC 2016


#38769: Bugs in wp-login.php
------------------------------------+-----------------------------
 Reporter:  yetAnotherDaniel        |      Owner:
     Type:  defect (bug)            |     Status:  new
 Priority:  normal                  |  Milestone:  Awaiting Review
Component:  Login and Registration  |    Version:  4.6.1
 Severity:  normal                  |   Keywords:
  Focuses:                          |
------------------------------------+-----------------------------
 == Bug summary ==


 After registering (wp-login.php?action=register) you get straight to the
 '''login screen''' with a small notice to check your email (wp-
 login.php?checkemail=registered). But logging-in is not even possible
 because users have to set their password via a link provided in their
 email in the first place. '''If users nevertheless try to login they get a
 misleading error message that could lead to an endless loop of password
 reset and the user will not be able to register.'''

 '''Bug 1:'''
 There should be no login form where a user cannot log-in.
 (attachment 1)

 '''Bug 2:'''
 There should be the message that the user has to set the password first.
 (attachment 2)

 '''While these things seems to be tiny the results are severe.'''

 == Bug description ==

 If users register they see after submitting the register form the login
 form with the message "Registration complete. Please check your email." on
 top. They often overlook this message and try to log-in even if they
 didn't set a password yet.

 This leads to situations where users are not able to register:

 1. When users try to log-in directly after registration they get the
 message that the password is wrong. (see attachment)
 2. Because of the misstated error message they go to the "Lost your
 password?" form and try to get a new password.
 3. They now check their email for the first time and open the email from
 the registering (!) and not the "lost password" email.
 4. They click on the link for setting the password in the register email.
 5. This link is invalid because of step 2.
 6. They then try again to get a new password.
 7. They go back to their email account and open the email from step 2 (!)
 and open this link. Because of step 6 the link is again invalid.
 8. They try to get a new password.
 9. And so on.

 Having the impression to be trapped in an endless loop they often think
 that the website is full of bugs, are not interested to register anymore
 or contact the support for removing bugs.

 '''I could provide dozen if not even hundreds of cases where this happened
 to my website.'''


 == How to reproduce the bugs?==

 1. Try to register.
 2. Try to log-in even without a password (put your usual password in it).
 3. Set you password back after the error message.
 4. Go to your email account and open the register email. Click on the
 link.
 5. You get the message that the link is invalid. Set you password back.
 6. Open the email from step 3 and so on.


 == tl;dr ==

 After registration you see the login form even if you don't set a password
 yet. If you try to log-in (even if you don't set a password yet) you get a
 misleading error message that could trap you in an endless password reset
 process. Users than give up to register or contact support. It is not just
 theory. Every day, I lose angry customers or have to support them. Please
 have a look to the attachments.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38769>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list