Password reset token is never deleted from the user's session after the password is changed

There is still a bug with this. This patch surely removes 'pass_reset_UID' from session after submit but the problem is when you don't submit the form and go somewhere else.

So consider entering url received in pass reset mail. Then click the button to go to edit form. Then move to different page without submitting the edit form. The 'pass_reset_UID' variable remains in session now.

Do you have any idea how to protect from such thing?

Damn... forget about the patch. It was my testing that shouldn't go here... Your patch is definitely right, mine is not. I don't know how to remove it.

CNW and tagging for tests. @David_Rothstein, please correct me if I'm wrong.

http://drupal.org/node/1427826 contains instructions for updating the issue summary with the summary template.

The summary may need to be updated with information from comments.

Minor edits.

Issue summary update is expected

Updated issue summary.

Updated issue summary.

Updated issue summary.

#2: user-pass-reset-1939132-2.patch queued for re-testing.

@@ -225,7 +225,7 @@ public function form(array $form, array &$form_state, EntityInterface $account)
-   * Overrides Drupal\Core\Entity\EntityFormController::submit().
+   * Overrides Drupal\Core\Entity\EntityFormController::validate().

Either don't touch this or switch to {@inheritdoc} too.

@@ -289,4 +289,15 @@ public function validate(array $form, array &$form_state) {
+   * Overrides Drupal\Core\Entity\EntityFormController::submit().

Should be {@inheritdoc} now.

@@ -289,4 +289,15 @@ public function validate(array $form, array &$form_state) {
+    unset($_SESSION['pass_reset_'. $account->uid]);    ¶

Let's use $user and $user->id(), that should fix thos e exceptions.

Also remove the translation spaces.

Tagging as a novice re-roll.

Re-roll

Addressing issues raised in #10.

That only addressed 50% of my review, still using ->uid and now mixing $account and $user :)

D'oh.

One more time.

Same patch should pass the test with if isset test. Better if we could not run this class on other cases than this specific case.

Cleaned the spaces away

patch in #20 applies cleanly and fixes the issues

reroll no more needed

+++ b/core/modules/user/lib/Drupal/user/AccountFormController.php
@@ -309,4 +309,17 @@ public function validate(array $form, array &$form_state) {
 }

This should be 'set' rather than setted. There's trailing whitespace after reset, and it's missing a space between if (isset(

Also I think we could add a test for this?

Here's a test and fix for the issue

This one should pass..

Updated issue summary.

patch is still valid, and ready now.
this is a small patch, and reviewed twice already; so, should be easy to commit.

This is not pertaining to this issue but someone could file a followup to investigate the removal of the user id from the session key that seems like totally unnecessary cos the SESSION is always bound to a specific user anyways.

25: user-pass-reset-1939132-26-complete.patch queued for re-testing.

Great catch!

Committed and pushed to 8.x. Thanks!