I am using an OTP SMS Plugin which has the following code which runs on checkout and login/register page of woocommerce:

function smsalert_site_challenge_otp($user_login, $user_email, $errors, $phone_number=null,$otp_type,$password="",$extra_data=null,$from_both=false)
    {
        SmsAlertUtility::checkSession();
        $_SESSION['current_url']    = SmsAlertUtility::currentPageUrl();
        $_SESSION['user_email']     = $user_email;
        $_SESSION['user_login']     = $user_login;
        $_SESSION['user_password']  = $password;
        $_SESSION['phone_number_mo']= $phone_number;
        $_SESSION['extra_data']     = $extra_data;
        _handle_otp_action($user_login,$user_email,$phone_number,$otp_type,$from_both);
    }

The function is called as follows:

function _handle_validate_otp_choice_form($postdata)
    {
        SmsAlertUtility::checkSession();
        if($postdata['mo_customer_validation_otp_choice'] == 'user_email_verification')
            smsalert_site_challenge_otp($_SESSION['user_login'],$_SESSION['user_email'],null,$_SESSION['phone_number_mo'],"email",$_SESSION['user_password'],$_SESSION['extra_data'],true);
        else 
            smsalert_site_challenge_otp($_SESSION['user_login'],$_SESSION['user_email'],null,$_SESSION['phone_number_mo'],"phone",$_SESSION['user_password'],$_SESSION['extra_data'],true);

Does this line $_SESSION['user_password'] = $password;mean that passwords are collected?

I am using an OTP SMS Plugin which has the following code which runs on checkout and login/register page of woocommerce:

function smsalert_site_challenge_otp($user_login, $user_email, $errors, $phone_number=null,$otp_type,$password="",$extra_data=null,$from_both=false)
    {
        SmsAlertUtility::checkSession();
        $_SESSION['current_url']    = SmsAlertUtility::currentPageUrl();
        $_SESSION['user_email']     = $user_email;
        $_SESSION['user_login']     = $user_login;
        $_SESSION['user_password']  = $password;
        $_SESSION['phone_number_mo']= $phone_number;
        $_SESSION['extra_data']     = $extra_data;
        _handle_otp_action($user_login,$user_email,$phone_number,$otp_type,$from_both);
    }

The function is called as follows:

function _handle_validate_otp_choice_form($postdata)
    {
        SmsAlertUtility::checkSession();
        if($postdata['mo_customer_validation_otp_choice'] == 'user_email_verification')
            smsalert_site_challenge_otp($_SESSION['user_login'],$_SESSION['user_email'],null,$_SESSION['phone_number_mo'],"email",$_SESSION['user_password'],$_SESSION['extra_data'],true);
        else 
            smsalert_site_challenge_otp($_SESSION['user_login'],$_SESSION['user_email'],null,$_SESSION['phone_number_mo'],"phone",$_SESSION['user_password'],$_SESSION['extra_data'],true);

Does this line $_SESSION['user_password'] = $password;mean that passwords are collected?

• woocommerce-offtopic

Share Improve this question edited Jun 22, 2019 at 8:46 dc09 asked Jun 22, 2019 at 8:24 dc09dc09 19522 silver badges1414 bronze badges

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

No, it means that the password is stored in SESSION.

So yes, it is remembered for some time and it’s not the best idea.

The more important thing is what is it used for and how is it processed.

It looks like it stores the password, so it can delay login process - it sends SMS, checks One-Time Password and only then performs normal WP password check, I guess.

But to be sure, you should check if that’s the only thing the stored password is used for.