check_password_reset_key()WP 3.1.0

Checks (compares) the provided key for password recovery with the hash of that key in the database.

The key hash is created by the function get_password_reset_key() during the password recovery request and is stored in the database, in the table wp_users in the user_activation_key field.

The key stored in the database is valid for one day (24 hours) from the moment of its creation.

Hooks from the function

Returns

WP_User|WP_Error.

  • WP_User object if the specified key has passed the check (is equal to the hash).
  • WP_Error object if the key does not equal the hash or has expired.

Usage

check_password_reset_key( $key, $login );
$key(string) (required)
Key to compare with the hash. This key is usually sent via email as a link.
$login(string) (required)
The username of the user whose key hash needs to be retrieved from the database and compared with the value of $key.

Examples

0

#1 Example of creating and verifying a key to restore a pasword 

// create a key for user 1 with the username siesta
$user = get_userdata( 1 );

$key = get_password_reset_key( $user ); // ZedUm9FEt48Kp4aGb5i8

// check the created key
$ok = check_password_reset_key( $key, 'siesta' );

if( is_wp_error( $ok ) ){
	echo $ok->get_error_message();
}
else {
	echo 'The key has been verified. You can send a new password to the email.';
}

Changelog

Since 3.1.0 Introduced.

check_password_reset_key() code WP 7.0

wp-includes/user.php 
function check_password_reset_key(
	#[\SensitiveParameter]
	$key,
	$login
) {
	$key = preg_replace( '/[^a-z0-9]/i', '', $key );

	if ( empty( $key ) || ! is_string( $key ) ) {
		return new WP_Error( 'invalid_key', __( 'Invalid key.' ) );
	}

	if ( empty( $login ) || ! is_string( $login ) ) {
		return new WP_Error( 'invalid_key', __( 'Invalid key.' ) );
	}

	$user = get_user_by( 'login', $login );

	if ( ! $user ) {
		return new WP_Error( 'invalid_key', __( 'Invalid key.' ) );
	}

	/**
	 * Filters the expiration time of password reset keys.
	 *
	 * @since 4.3.0
	 *
	 * @param int $expiration The expiration time in seconds.
	 */
	$expiration_duration = apply_filters( 'password_reset_expiration', DAY_IN_SECONDS );

	if ( str_contains( $user->user_activation_key, ':' ) ) {
		list( $pass_request_time, $pass_key ) = explode( ':', $user->user_activation_key, 2 );
		$expiration_time                      = $pass_request_time + $expiration_duration;
	} else {
		$pass_key        = $user->user_activation_key;
		$expiration_time = false;
	}

	if ( ! $pass_key ) {
		return new WP_Error( 'invalid_key', __( 'Invalid key.' ) );
	}

	$hash_is_correct = wp_verify_fast_hash( $key, $pass_key );

	if ( $hash_is_correct && $expiration_time && time() < $expiration_time ) {
		return $user;
	} elseif ( $hash_is_correct && $expiration_time ) {
		// Key has an expiration time that's passed.
		return new WP_Error( 'expired_key', __( 'Invalid key.' ) );
	}

	if ( hash_equals( $user->user_activation_key, $key ) || ( $hash_is_correct && ! $expiration_time ) ) {
		$return  = new WP_Error( 'expired_key', __( 'Invalid key.' ) );
		$user_id = $user->ID;

		/**
		 * Filters the return value of check_password_reset_key() when an
		 * old-style key or an expired key is used.
		 *
		 * Prior to 3.7, plain-text keys were stored in the database.
		 *
		 * @since 3.7.0
		 * @since 4.3.0 Previously key hashes were stored without an expiration time.
		 *
		 * @param WP_Error $return  A WP_Error object denoting an expired key.
		 *                          Return a WP_User object to validate the key.
		 * @param int      $user_id The matched user ID.
		 */
		return apply_filters( 'password_reset_key_expired', $return, $user_id );
	}

	return new WP_Error( 'invalid_key', __( 'Invalid key.' ) );
}

password

Login/Logout