When a user requests a one-time login/password reset, we email them a new random password in plaintext. When they use it, we say "please change your password" but do not require them to do so. I suggest that we require them to change it. Here is how I've implemented it so far:
- Whenever a one-time login is used, set a session variable ($_SESSION['user_pw_change']) to TRUE.
- On hook_init, if the session variable is true, display a message and redirect to user/uid/edit.
- If the session variable is set, the password fields on the user_edit form are required.
- When the password is changed, unset the session variable.
The end result is that you can't go anywhere on the site except user/uid/edit until you change your password. Since I am using a session variable, this effect is NOT persistent if you wipe your session cookie; we could of course make it persistent via a column in the users table.
Once we are doing this, I suggest that we stop issuing randomly generated passwords via email at all. We can just send initial-login links that are valid until the user first logs in, then require them to set their initial password immediately.
Passed: 12234 passes, 0 fails, 0 exceptions
Passed: 12204 passes, 0 fails, 0 exceptions
Failed: Failed to apply patch.