Dev news

Commit 3579e69fe2 for wordpress.org

commit 3579e69fe277e57c3dbdacd179f1d0d07d049f9a
Author: John Blackbourn <johnbillion@git.wordpress.org>
Date:   Thu Jan 16 15:35:27 2025 +0000

    Users: Retain the current session when a user changes their password.

    Prior to this change a new session was unnecessarily created when a user changed their own password.

    Existing authentication cookies for the user will still be invalidated regardless of whether they share the same session token because session cookie keys contain a substring of the password hash.

    Props snicco, narenin, johnbillion

    Fixes #61366

    Built from https://develop.svn.wordpress.org/trunk@59633


    git-svn-id: http://core.svn.wordpress.org/trunk@58996 1a063a9b-81f0-0310-95a4-ce76da25c4cd

diff --git a/wp-includes/user.php b/wp-includes/user.php
index 6222e932a9..635f82c5ed 100644
--- a/wp-includes/user.php
+++ b/wp-includes/user.php
@@ -2780,8 +2780,6 @@ All at ###SITENAME###
 	$current_user = wp_get_current_user();
 	if ( $current_user->ID === $user_id ) {
 		if ( isset( $plaintext_pass ) ) {
-			wp_clear_auth_cookie();
-
 			/*
 			 * Here we calculate the expiration length of the current auth cookie and compare it to the default expiration.
 			 * If it's greater than this, then we know the user checked 'Remember Me' when they logged in.
@@ -2790,13 +2788,20 @@ All at ###SITENAME###
 			/** This filter is documented in wp-includes/pluggable.php */
 			$default_cookie_life = apply_filters( 'auth_cookie_expiration', ( 2 * DAY_IN_SECONDS ), $user_id, false );

+			wp_clear_auth_cookie();
+
 			$remember = false;
+			$token    = '';
+
+			if ( false !== $logged_in_cookie ) {
+				$token = $logged_in_cookie['token'];
+			}

 			if ( false !== $logged_in_cookie && ( (int) $logged_in_cookie['expiration'] - time() ) > $default_cookie_life ) {
 				$remember = true;
 			}

-			wp_set_auth_cookie( $user_id, $remember );
+			wp_set_auth_cookie( $user_id, $remember, '', $token );
 		}
 	}

diff --git a/wp-includes/version.php b/wp-includes/version.php
index 3c3d557def..cc8c7e7dd5 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.8-alpha-59632';
+$wp_version = '6.8-alpha-59633';

 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.