jakevan/jvb.git

			@@ -152,10 +152,10 @@
			// Attempt login
			$user = wp_signon([
			'user_login' => $username,
			'user_email' => $username,
			'user_password' => $password,
			'remember' => $remember
			], false);
			], is_ssl());


			if (is_wp_error($user)) {
			// Track failed attempt
			@@ -167,13 +167,14 @@
			401
			) : false;
			}

			// Clear failed attempts on success
			$this->clearFailedAttempts($username);

			// Set auth cookie with remember me flag
			wp_set_current_user($user->ID);
			wp_set_auth_cookie($user->ID, $remember);
			wp_set_auth_cookie($user->ID, $remember, is_ssl());



			// Store session fingerprint for hijacking protection
			if ($request) {
			@@ -267,13 +268,12 @@
			*/
			protected function getSessionId(int $user_id): string
			{
			// Use WordPress session tokens
			$sessions = WP_Session_Tokens::get_instance($user_id);
			$token = wp_get_session_token(); // Current session token

			if (!$token) {
			// Fallback to user-specific hash that changes on password reset
			return md5($user_id . get_user_meta($user_id, 'session_tokens', true));
			// Fallback to a hash based on user ID and current timestamp
			// This will be replaced once the session token is available
			return md5($user_id . time());
			}

			return md5($token);
			@@ -370,6 +370,9 @@
			wp_set_current_user($user->ID);
			wp_set_auth_cookie($user->ID, true);

			if (session_status() === PHP_SESSION_ACTIVE) {
			session_regenerate_id(true);
			}
			// Store session fingerprint
			$this->storeSessionFingerprint($user->ID, $request);

			@@ -532,7 +535,7 @@
			update_user_meta($user_id, BASE . $key, sanitize_text_field($value));
			}

			$redirect = $this->getRedirect($user, $request->get_param('redirect_to'), 'register');
			$redirect = $this->getRedirect($user, $request->get_param('redirect_to')??get_home_url(null,'/dash'), 'register');

			// Handle token handlers
			do_action('jvbUserRegistered', $user_id, $email, $data);