[wp-trac] [WordPress Trac] #58427: Retain existing user session when changing password
WordPress Trac
noreply at wordpress.org
Tue May 30 03:59:13 UTC 2023
#58427: Retain existing user session when changing password
--------------------------+--------------------------------------
Reporter: dd32 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version: 4.0
Severity: normal | Keywords: dev-feedback 2nd-opinion
Focuses: |
--------------------------+--------------------------------------
When a user changes their password, their existing user session is ignored
and a new session is started.
This happens due to `wp_update_user()` not passing the current session
token to `wp_set_auth_cookie()`.
https://github.com/WordPress/wordpress-
develop/blob/e82251df5bd59fb4327d0b0aa7a57ade20fe97c2/src/wp-
includes/user.php#L2717-L2735
This can cause problems for some plugins which use the
`attach_session_information` hook, or, which add additional information to
the current session through `WP_Session_Manager::update()`.
Other issues that occur is when the password is updated through the rest
api, is that a new session will be created, but the response (and rest of
the rest api processing) will be operating with the old session token, as
that's what's set in `$_COOKIE`. So if any user fields in the rest-api
response are reliant upon a piece of session metadata, it'll be incorrect
for the following HTTP requests from the user.
The workaround for plugins is to hook to `attach_session_information` and
when a new session is being created for the current user, copy the current
sessions metadata over to the new session. This is less than ideal, as
it's not clear that the new session is definitely the same as the clients
session (ie. The newly created session might not come from
`wp_set_auth_cookie()` and might be a new session created for another
purpose).
PR attached, which retains the existing session when changing the
password.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/58427>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list