I am trying to write my own lost password plugin. It is working perfectly. But how can I invalidate the reset key after being used once. Currently I am able to set new password as many times as I wish by clicking the reset password link sent to my email.
Apart from it, do I need to implement any security measures in below code?
Password Reset Link generation and send via email:
$user = get_user_by('login', $_POST['username'] );
$token = base64_encode( serialize([
'key' => get_password_reset_key( $user ),
'user' => $user->user_login
]));
$reset_pass_link = ';token='.$token;
$to = $user->user_email;
$subject = 'Your Password reset link';
$message = $reset_pass_link;
$headers[] = 'From: Example <[email protected]>'."\r\n";
wp_mail($to, $subject, $message, $headers);
Validate Reset Key and then set new password :
$token = maybe_unserialize(base64_decode($_GET['token']));
if( !isset($token) || !isset($token['key']) || !isset($token['user']) ){
$ajax_handler->add_error_message("Invalid Token.");
$ajax_handler->is_success = false;
return;
}
$key = $token['key'];
$user = $token['user'];
$user_id = get_user_by('login', $user)->ID;
$new_pass = $fields[$settings['ap_new_pass']];
if ( check_password_reset_key($key, $user)){
wp_set_password( $new_pass, $user_id );
}
else{
$ajax_handler->add_error_message("Invalid Token.");
$ajax_handler->is_success = false;
return;
}
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1745040652a4607786.html
评论列表(0条)