php wordpress password change – logging me out!

2 Views

I’m trying to build a simple wordpress password change script of my own (well, based on a plugin really) – the password is successfully changed – but it logs me out after the change completes! Below is the code used. Can anyone see where I’m being logged out and how to prevent it? Thanks! 

$update = $wpdb->query($wpdb->prepare("UPDATE {$wpdb->users} SET `user_pass` = %s WHERE `ID` = %d",array(wp_hash_password($_POST['admin_pass1']),$user_ID)));

if(!is_wp_error($update))
{
    wp_cache_delete($user_ID,'users');
    wp_cache_delete($user->user_login,'userlogins');
    wp_logout();
    if (wp_signon(array('user_login'=>$user->user_login,'user_password'=>$_POST['admin_pass1']),false)):
        wp_redirect(admin_url());
    endif;
    ob_start();
}
Post Views: 2

Related posts

Leave a Reply

6 comments

  1. After resetting password you have to set/reset cookies (http://codex.wordpress.org/Function_Reference/wp_set_auth_cookie)
    like this 

    $update = $wpdb->query($wpdb->prepare("UPDATE {$wpdb->users} SET `user_pass` = %s WHERE `ID` = %d",array(wp_hash_password($_POST['admin_pass1']),$user_ID)));

if(!is_wp_error($update))
{
    wp_cache_delete($user_ID,'users');
    wp_cache_delete($user->user_login,'userlogins');
    wp_logout();
    if (wp_signon(array('user_login'=>$user->user_login,'user_password'=>$_POST['admin_pass1']),false)):
        wp_redirect(admin_url());
    endif;
    ob_start();
}else{
    wp_set_auth_cookie( $current_user_id, true);
}

    To reset the password you’d better use wordpress functions like wp_check_password and wp_set_password because of integration with other applications/plugins.

  2. Was linked here from another post, and wanted to give an updated solution to this problem, as some of these solutions (especially modifying wpdb->query directly) aren’t best practice anymore.

    Update the user’s password using wp_set_password(), and then log the user back in, using wp_signon().

    wp_signon will create the authentication cookie for you, as other users have suggested, but in a much more streamlined way. 

    function create_new_password_for_user($new_password){
    //Get the current user's details, while they're still signed in, in this scope.
     $current_user = wp_get_current_user();
     $current_user_id = $current_user->ID;
     $users_login = $current_user->user_email;

    //set their new password (this will trigger the logout)
    wp_set_password($new_password, $current_user_id);

    //setup the data to be passed on to wp_signon
    $user_data = array(
            'user_login'     => $users_login,
            'user_password'    => $new_password,
            'remember'        => false
        );

    // Sign them back in.
    $result = wp_signon( $user_data );

    if(is_wp_error($result)){
      //do something with an error, if there is one.
    }else{
      //do something with the successful change. 
    }
}

  3. Actually this:

    if(!is_wp_error($update))
{
    wp_cache_delete($user_ID,'users');
    wp_cache_delete($user->user_login,'userlogins');
    wp_logout();
    if (wp_signon(array('user_login'=>$user->user_login,'user_password'=>$_POST['admin_pass1']),false)):
        wp_redirect(admin_url());
    endif;
    ob_start();
}

    means that if there are no errors the following functions will be executed. One of this functions is wp_logout() which will be always called if the conditional block is executed.

    If it’s not what you want, then you want to consider replacing: 

    if(!is_wp_error($update))

    with:

    if(is_wp_error($update))

  4. Try below code, it won’t log you out after password change and it works with Ajax too. Also, no need to reset cookies/session after it.

    $userdata['ID'] = 1; //user ID
$userdata['user_pass'] = 'new_password';
wp_update_user( $userdata ); // this will handle encryption and everything

    Cheers

  5. Make sure the code is run before the end of HTTP headers and the beginning of regular page content. You may not get any warning if you inadvertently wait too long in the page generation process. It’ll all just fail silently and you’ll be logged out mysteriously (even though wp_signon() returns a valid WP_User object).

  6. if you still look for an answer on this topic:, i found a solution!

    in short, after you update the password, clear the data and logout
    ( as you did)

    wp_cache_delete($user_ID,'users');
wp_cache_delete($user->user_login,'userlogins');
wp_logout();

    user is logged out now

    then

    do a ‘redirect’ to a new page to auto-login again
    Catch the call to this page via a add_action( 'wp', 'auto_login' );
    (we must do this, before anything is send via ‘headers’)

    the auto_login function then can handle your request to auto login the given user.(via $_GET parameters)

    So when i redirect to the new page i pass on two parameters
    user_id (the user to login)
    a secret key (for security)

    $key =  password_hash('[some secret ]' . $user_id, PASSWORD_DEFAULT);

        wp_redirect( get_permalink( $to['fl_autologin'] ) . "/?p=" . urlencode( $key ) . "&z=" . $user_id );
        exit;

    then in the auto_login function i look for those two parameters
    decrypt the secret key to check if this is oke

                if ( $_GET['z'] && password_verify( '[some secret]' . $_GET['z'], urldecode( $_GET['p'] ) )) {

    if so,
    then login the given user

    $user    = get_user_by( 'id', $_GET['z'] );
            $user_id = $user->ID;
wp_set_current_user( $user_id, $user->user_login );
            wp_set_auth_cookie( $user_id );

            do_action( 'wp_login', $user->user_login );

    do some more security checks on this,
    like user_id must be valid etc
    if all oke,
    then you can redirect him to a home_page again

    hope this helps your issue