#58911 closed enhancement (worksforme)
Destroy logged in sessions after successfully password reset
Reported by: | nsinelnikov | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 6.3 |
Component: | Login and Registration | Keywords: | has-patch close |
Focuses: | Cc: |
Description
There is wp-login.php form popup if the session is expired in wp-admin. But for the frontend part there can be this enhancement:
- Go to
Browser A
and log in with your credentials.
- Go to
Browser B
(it can be a public device) and log in with your credentials again.
- Go back to
Browser A
and change or reset your password.
- After a successful reset/change of a password in
Browser A
, the session inBrowser B
should be destroyed and the user should automatically be logged out.
Change History (3)
This ticket was mentioned in PR #4915 on WordPress/wordpress-develop by @nsinelnikov.
12 months ago
#1
- Keywords has-patch added
#2
@
12 months ago
- Keywords close added
- Resolution set to worksforme
- Status changed from new to closed
Hi @nsinelnikov, thanks for the Ticket. The user in Browser A will be forced to log in after the password reset is initiated from Browser B, even without the patch you attached. The reason is, we are checking if the password was changed or not, and then use the wp_clear_auth_cookie() function to reset any cookie related to authentication.
https://developer.wordpress.org/reference/functions/wp_clear_auth_cookie/
Your contribution is more than welcome. But, as this functionality is already in the core, I will be closing this ticket for now with the resolution of "worksforme"
Destroyed user's sessions using
WP_Session_Tokens
class.Trac ticket: https://core.trac.wordpress.org/ticket/58911