40% OFF EVERYTHING
Our 10th BIRTHDAY SALE
Buy Now

403 forbidden error on logout after successful password change

This topic contains 2 replies, has 2 voices, and was last updated by  Alex Rollin 4 years, 5 months ago.

We have moved to a support ticketing system and our forums are now closed.

Open Support Ticket
  • Author
    Posts
  • November 14, 2019 at 4:23 pm #5817

    Andy
    Free User
    Post count: 46

    After a successful password change using the UsersWP Change Password page, clicking the logout menu link returns a 403 forbidden error, and the user remains logged in.

    The logout menu link works fine in all other circumstances that I have seen (including a visit to the Change Password page without submitting the form, and also after an unsuccessful password change).

    The logout URL is no different when this happens. No error logged.

    If I visit another UsersWP page after this happends, or revisit the Change Password page, I can logout with no problem.

    Pretty strange that it only happens right after a successful password change but it is completely consistent for me.

    I’ll look a little further and post again if I find anything.

    November 14, 2019 at 4:38 pm #5820

    Andy
    Free User
    Post count: 46

    I have more information on this.

    The logout fails inside function check_admin_referer which is in wp-includes/pluggable.php.

    A comment at the top of the function says “Ensures intent by verifying that a user was referred from another admin page with the correct security nonce.”

    It seems that the security nonce at the end of the logout URL changes after a password change. However, it is not updated on the page menu immediately after a password change.

    If I revisit the page or visit a different UsersWP page then the nonce in the URL updates which explains why the logout is then successful. I thought before the URL was exactly the same but I was wrong.

    So looks like you need to get the new nonce after password change?

    November 14, 2019 at 6:45 pm #5826

    Alex Rollin
    Moderator
    Post count: 27815

    Thanks Andy, the developers are looking into it.

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)

We have moved to a support ticketing system and our forums are now closed.

Open Support Ticket