diff --git a/wp-login.php b/wp-login.php
index 803708222d..bbf671ec71 100644
--- a/wp-login.php
+++ b/wp-login.php
@@ -559,9 +559,21 @@ break;
case 'resetpass' :
case 'rp' :
- $user = check_password_reset_key($_GET['key'], $_GET['login']);
+ list( $rp_path ) = explode( '?', wp_unslash( $_SERVER['REQUEST_URI'] ) );
+ $rp_cookie = 'wp-resetpass-' . COOKIEHASH;
+ if ( isset( $_GET['key'] ) ) {
+ $value = sprintf( '%s:%s', wp_unslash( $_GET['login'] ), wp_unslash( $_GET['key'] ) );
+ setcookie( $rp_cookie, $value, 0, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
+ wp_safe_redirect( remove_query_arg( array( 'key', 'login' ) ) );
+ exit;
+ }
+
+ list( $rp_login, $rp_key ) = explode( ':', wp_unslash( $_COOKIE[ $rp_cookie ] ), 2 );
+
+ $user = check_password_reset_key( $rp_key, $rp_login );
if ( is_wp_error($user) ) {
+ setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
if ( $user->get_error_code() === 'expired_key' )
wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=expiredkey' ) );
else
@@ -586,6 +598,7 @@ case 'rp' :
if ( ( ! $errors->get_error_code() ) && isset( $_POST['pass1'] ) && !empty( $_POST['pass1'] ) ) {
reset_password($user, $_POST['pass1']);
+ setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
login_header( __( 'Password Reset' ), '' . __( 'Your password has been reset.' ) . ' ' . __( 'Log in' ) . '
' );
login_footer();
exit;
@@ -597,8 +610,8 @@ case 'rp' :
login_header(__('Reset Password'), '' . __('Enter your new password below.') . '
', $errors );
?>
-