Password reset in Multisite a bit clumsy

I have Pro Sites working fairly well, but I wanted to test how it would perform if a client needed to reset their password. Unfortunately, the password reset email that the client receives, directs them to the main site login page, which is https. Once they've established a new password they see a message that they are on the wrong page with a link to their dashboard. When they click the link to their dashboard, they get a security warning, because the SSL doesn't cover the subdomains and they are still being directed to https instead of http. It all just seems a bit messy.

(That's the good news. The bad news is if I activate my Wordfence Security plugin, the client gets completely locked out of the site when trying to reset their password. I have it deactivated for now.)

Am I missing a setting somewhere? I'd love for the entire password reset process to take place directly on their subdomain.

As an FYI, I did try the "Log In Message" plugin, but it doesn't seem an ideal solution and the message that they are not permitted to reset their password doesn't come up until after they've gone to the work of entering their email address. I'm foreseeing irritated customers at this point.

Got any suggestions that might help me out? :o)

  • xaviemirmon
    • Site Builder, Child of Zeus

    You could reset the password via the Network Admin > Users and send them temporary password that you have created with instructions how to change it under their profile. An option to have everyone covered with SSL is to use a subdirectory install or get a wildcard SSL but they are very pricey.

  • tebothibeau
    • Site Builder, Child of Zeus

    Hi xaviemirmon!

    Thanks for the suggestion. It may be a last resort solution coupled with the "Log In Message" plugin. I'd really like to find a more automated solution. I don't mind resetting passwords and sending off an email, but I think client expectation these days is for the instant fix. Something that a staff of one (me) isn't always that responsive to.

    :o)

  • aecnu
    • WP Unicorn

    Greetings tebothibeau,

    The bad news is if I activate my Wordfence Security plugin, the client gets completely locked out of the site when trying to reset their password. I have it deactivated for now.

    The fact of the matter is that many of these so called security plugins cause more damage then good.

    Bad Behavior blocks IPN calls from PayPal, and Bulletproof Security has caused a lot of trouble as well for many plugins including Q&A and more.

    You may want to try this plugin attached below and see if it directs them back to their own site by any chance.

    Please advise.

    Cheers, Joe

  • tebothibeau
    • Site Builder, Child of Zeus

    Hi Joe!

    Yeah, it doesn't break my heart if I ditch the Security plugin.

    Your plugin solution is almost perfect! It's definitely the best solution by far, but its requiring them to re-enter their password, as it is redirecting to their login page instead of the dashboard.

    I'll take a closer look tomorrow to see if there is something I can change. Unless, of course, you have another idea in the mean time? :o)

    Thanks so much!

  • tebothibeau
    • Site Builder, Child of Zeus

    I'm still struggling with this. I have the client login after password reset running pretty smoothly, but I have to use FORCE_SSL_LOGIN in the config file for it to work appropriately. Unfortunately, when I login as the network administrator and try to edit a page, I get kicked back out to the login page where it goes into an eternal loop. The only way for me to be able to edit pages is if I use FORCE_SSL_ADMIN in the config file, but then I'm back to seeing the security warning when the client tries to login.

    Is there a better way to accomplish what I'm trying to do? With .htaccess maybe? I need all sub domains to go to http, but I want the primary site in https.

    Thanks again!

  • aecnu
    • WP Unicorn

    Greetings tebothibeau,

    The problem I foresee with using the htaccess file is that it will affect everything including the main site using https.

    However, I gave it another shot coded specifically for your main site SSL login to redirect to a sub site non SSL attached below :slight_smile:

    I could not pre-test because I do not have this same exact configuration anywhere, but it should work.

    Please advise.

    Cheers, Joe

  • tebothibeau
    • Site Builder, Child of Zeus

    Hi Joe!

    We're getting close . . . I think!

    Tried the plugin. Was getting a Parse error on line 24.
    Changed line 24 to:
    return str_replace('https://', 'http://', $redirect_to);

    If you watch the address bar when logging into client account, behavior is:
    redirects to http
    Then redirects to https and throws up a security warning.

    This is presumably because I have FORCE_SSL_ADMIN set to true in the config file.
    If I use FORCE_SSL_LOGIN it works great until I try to edit one of the pages on the primary site and then I get bounced to login looping again. If I don't use either, I end up looping the login.

    Maybe I shouldn't have changed line 24? I know just enough to be dangerous. :o)

  • aecnu
    • WP Unicorn

    Greetings tebothibeau,

    Thank you for the additional feedback!

    I will see about getting one of the lead developers to look at the coding to see if he can see why we are having this error.

    Actually I will try to get him to look over this ticket completely to see if he thinks of any reason or conflict we may have going on here i.e. FORCE_SSL_ADMIN, FORCE_SSL_LOGIN

    Have you perhaps tried this with both of these statements removed/disabled?

    Please advise.

    Cheers, Joe

  • aecnu
    • WP Unicorn

    Greetings tebothibeau,

    Thank you for the additional feedback!

    I will see about getting one of the lead developers to look at the coding to see if he can see why we are having this error.

    Actually I will try to get him to look over this ticket completely to see if he thinks of any reason or conflict we may have going on here i.e. FORCE_SSL_ADMIN, FORCE_SSL_LOGIN

    Have you perhaps tried this with both of these statements removed/disabled?

    Please advise.

    Cheers, Joe

  • aecnu
    • WP Unicorn

    Greetings tebothibeau,

    Aha! I went back to trying to figure out what was going wrong with line 24 and as I see there was an extra semi colon in there that got me.

    I also recognize that you had removed the extra semi colon and you are still getting the parsing error or what are the current symptoms?

    Please advise.

    Cheers, Joe

  • tebothibeau
    • Site Builder, Child of Zeus

    Hi Joe!

    I removed the extra semi colon and had to remove one of the "return"s at the beginning of that same line in order to get rid of the parsing error. I was then able to install the plugin.

    This is the problem I continue to have:
    If I have FORCE_SSL_LOGIN enabled in my config file everything works perfectly (client login is perfect, my login is perfect) until I try to edit one of the my main site's pages. I then get redirected back to the login page which just loops for eternity.

    If I have FORCE_SSL_ADMIN enabled I am able to edit my pages, but the client gets a security error when logging in, as the FORCE_SSL_ADMIN overrides the redirect plugin.

    Any ideas?

    Thanks so much!

  • aecnu
    • WP Unicorn

    Greetings tebothibeau,

    Thank you for that additional feedback, I am not a coder but I tried :slight_smile:

    Thank you also for the summary above and now is the time to refer this to a higher authority since I have exhausted my ideas.

    Therefore I will see if I can get the lead developer in here with his invaluable insight into this plugin for his advice/advise for us.

    Though this may take a bit longer then a normal ticket, I will try to get him in here asap.

    Cheers, Joe

  • Aaron
    • CTO

    First off, this has absolutely nothing to do with Pro Sites, but how Multisite works.

    The lost password url looks like it's created by the wp_lostpassword_url() function, which does have a filter. It's probably easy enough to just simply filter that to use site_url() instead of network_site_url().

    Something like this (completely untested):

    function wp_lostpassword_url_filtered( $url, $redirect ) {
    	$args = array( 'action' => 'lostpassword' );
    	if ( !empty($redirect) ) {
    		$args['redirect_to'] = $redirect;
    	}
    
    	return add_query_arg( $args, site_url('wp-login.php', 'login') );
    }
    add_filter( 'lostpassword_url', 'wp_lostpassword_url_filtered' );

    This would need to be in a network activated plugin, or in mu-plugins.

  • tebothibeau
    • Site Builder, Child of Zeus

    Okay, I think this has ceased to be a password reset/client login issue, and has become an SSL redirect issue instead.

    This is the problem:
    If I have FORCE_SSL_LOGIN enabled in my config file everything works perfectly (client login is nice and tidy, my login is perfect) until I try to edit one of the my main site's pages. I then get redirected back to the login page which just loops for eternity.

    If I have FORCE_SSL_ADMIN enabled I am able to edit my pages, but the FORCE_SSL_ADMIN overrides any redirect to an http page. Since the SSL certificate is only valid for the primary domain, not subdomains this throws a security error when the client is logging in which is surely going to make them halt in their tracks.

    It seems like the solution would be to force the admin dashboard to stay logged in no matter if I switch between http and https. Is there a way to do that?

    Thanks!

  • tebothibeau
    • Site Builder, Child of Zeus

    I'm Baaaack!

    Found my solution! Now this is issue is truly resolved (fingers crossed).

    I edited the database so that the default address for the site is http instead of https.

    I'm running two plugins: My Login Redirect and WordPress HTTPS

    I'm using WordPress HTTPS to redirect to https pages for all store pages that require it (I'm running an ecommerce plugin in addition to ProSites for the sale of stock photography and web themes). ProSites automatically pulls up the https pages for site upgrades.

    I've removed all FORCE_SSL from my wp-config.php

    Initial testing has been very successful!

  • aecnu
    • WP Unicorn

    Greetings tebothibeau,

    Thank you for letting us know of this possible unconventional but great solution to this issue and work around thereof.

    Please keep us posted as to your final conclusion and to benefit the rest of the community as well that are facing this challenge.

    Thank you for being a WPMU Dev Community Member!

    Cheers, Joe

  • tebothibeau
    • Site Builder, Child of Zeus

    Hi Joe!

    I will definitely keep you informed as I continue testing. I'm not moving very fast as this is a personal project and client work keeps getting in the way (Thankfully!)

    The only issue I've come across is that I'll occasionally need to login twice if I land on an https page on the front end and then try to go back to the dashboard. Its a slight annoyance that I can certainly put up with. I'm more worried about client experience and that part seems to be working well.

    Best!
    Judy

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.