[wp-trac] [WordPress Trac] #38769: Bugs in wp-login.php
WordPress Trac
noreply at wordpress.org
Sat Nov 12 13:11:50 UTC 2016
#38769: Bugs in wp-login.php
------------------------------------+-----------------------------
Reporter: yetAnotherDaniel | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: 4.6.1
Severity: normal | Keywords:
Focuses: |
------------------------------------+-----------------------------
== Bug summary ==
After registering (wp-login.php?action=register) you get straight to the
'''login screen''' with a small notice to check your email (wp-
login.php?checkemail=registered). But logging-in is not even possible
because users have to set their password via a link provided in their
email in the first place. '''If users nevertheless try to login they get a
misleading error message that could lead to an endless loop of password
reset and the user will not be able to register.'''
'''Bug 1:'''
There should be no login form where a user cannot log-in.
(attachment 1)
'''Bug 2:'''
There should be the message that the user has to set the password first.
(attachment 2)
'''While these things seems to be tiny the results are severe.'''
== Bug description ==
If users register they see after submitting the register form the login
form with the message "Registration complete. Please check your email." on
top. They often overlook this message and try to log-in even if they
didn't set a password yet.
This leads to situations where users are not able to register:
1. When users try to log-in directly after registration they get the
message that the password is wrong. (see attachment)
2. Because of the misstated error message they go to the "Lost your
password?" form and try to get a new password.
3. They now check their email for the first time and open the email from
the registering (!) and not the "lost password" email.
4. They click on the link for setting the password in the register email.
5. This link is invalid because of step 2.
6. They then try again to get a new password.
7. They go back to their email account and open the email from step 2 (!)
and open this link. Because of step 6 the link is again invalid.
8. They try to get a new password.
9. And so on.
Having the impression to be trapped in an endless loop they often think
that the website is full of bugs, are not interested to register anymore
or contact the support for removing bugs.
'''I could provide dozen if not even hundreds of cases where this happened
to my website.'''
== How to reproduce the bugs?==
1. Try to register.
2. Try to log-in even without a password (put your usual password in it).
3. Set you password back after the error message.
4. Go to your email account and open the register email. Click on the
link.
5. You get the message that the link is invalid. Set you password back.
6. Open the email from step 3 and so on.
== tl;dr ==
After registration you see the login form even if you don't set a password
yet. If you try to log-in (even if you don't set a password yet) you get a
misleading error message that could trap you in an endless password reset
process. Users than give up to register or contact support. It is not just
theory. Every day, I lose angry customers or have to support them. Please
have a look to the attachments.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38769>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list