Why does WordPress hide the reset password key from the URL?

I’m currently working on a WordPress plugin of my own that involves a custom login interface. I’m wondering, why is it that when you reset your password on WP-Admin, WordPress stores the reset password key in a cookie rather retrieve it from the URL through $_GET?

For example, if your reset link is https://example.com/wp-admin/?action=rp&key=123123213213213123&login=admin, the link will store $_GET['key'] and $_GET['login'] in a cookie and serve you this page using the cookie: https://example.com/wp-admin/?action=rp.

Are there any security reasons for doing that?

To be honest? It’s a little bit hard to say…

This behavior was introduced in 3.9.2 (which is security release). Here’s the bug in Trac: 29060: Don’t pass around the resetpass key, but there isn’t much info on why was it introduced in the bug report.

Is it for security reasons? Most probably. But does it really make the process more secure? It’s a little bit hard to say…

Both GET params and Cookies are sent in every request – so attacker still can intercept them. It just makes such attempts a little bit harder (since you have to get pass_key and it’s hashed value).