Reset password loop in Woocommerce (Varnish?)

Dear all,
I am running several woocommerce setup and we discovered that there is a password reset loop blocking users to change their password.

I found several posts pointing varnish, but none giving exactly wich URLs should be changed to fix it.

Any help or suggestions?


Hi there,

Thanks for writing to us. Let me explain, here at Cloudways, we have defined Varnish rules by following Wordpress and Woocommerce standards. We have excluded the non-cacheable URLs and Cookies already. If you are using any sort of plugin or theme which is rewriting non-cacheable pages and/or generating some extra cookies which should be excluded from caching. To eliminate these sort of issues, we have introduced the feature to exclude/include your desired cookies and URLs from Varnish cache server. For your better assistance, we have created the following docs:

For URLs:
For cookies:


1 Like

We experienced this ourselves after moving a WooComm site to CW, and I think it has to do with a cookie issue on the pwd reset page. The reset page is, if I’m not remembering wrong, on the /wp-login.php page with some added query string. Excluding that URL from varnish might help you out with this. Not entirely sure, but something along those lines (excluding the page you end up on after following a pwd reset link) might resolve this.

@daniel Thank you much more appreciated.

I got the same problem after enabling Varnish (had similar problem with WooCommerce Cart widget).

The password reset cookie is in form “wp-resetpass-80ae903e49571ef4dd7a8aaeXXXXXXXX” and it’s not getting received via password reset email link when Varnish is first enabled. Found out this with Chrome Edit This Cookie while the Varnish was off.

This was fixed by adding regex cookie exclude rule “wp-resetpass-.?”.


Thanks @jarkko.saltiola
This solved my issue! I couldn’t figure out what the issue was until I saw your comment.

Have a great week!

@Cloudways, when activating varnish on any woocommerce site this cookie should automatically be excluded so that this kind of issue doesn’t appear in the first place.

regex cookie exclude rule “wp-resetpass-.?”

Just nothing that the .? at the end of the regex is useless. Here is the way cookies are matched:

if (req.http.cookie ~ "wp-resetpass-") { return (pass); } #CloudwaysVCL

It’s a PCRE match (perl compatible regular expression). Therefore the above is the same as writing:

if (req.http.cookie ~ "^.*wp-resetpass-.*$") { return (pass); } #CloudwaysVCL

Adding ‘.?’ to match zero or one character does not change anything, as ‘.?.’ is the same as '.’.

Thanks for the tip! I disabled all my plugins and was about to go into javascript and theme functions before i saw this. Varnish is the problem =)

Hi, anybody knows if this was this fixed and added to varnish config?


As per the solution provided in this thread you need to exclude the cookie wp-resetpass-.? from your varnish rule. Are you familiar with configuring varnish rules?

You may also refer to this KB.

Ibad Rehman
Community Manager

@ibad.rehman Hi, yes, but what strucks me is that this is an issue from 1 year ago!
All of WP installs use this reset password cookie, so why isn’t it added on the VCL file?

Also there was an issue related before if using Sendgrid to send all wordpress emails. If sendgrid has click tracking enabled, it was causing a incorrect link. So the solution was to turn off click tracking in emails in Sendgrid.

I added most of the url/cookie exclude examples I could find on the net but woocommerce reset password still not working (loop).

Then I started to turn off login-relate plugins and found that there was one plugin call Cleantalk was causing this issue. Once I stop Cleantalk, the password reset link will works even with varnish on.

So for those who are still stuck with varnish setting and woocommerce password reset, the plugins you are using might be the cause of the problem.