We get issues like #2185011: Site functionality problem or #2179569: Cannot change password after one time login on a regular basis. The issue seems to be that users try to reset the password/use the one-time log in while still being logged in.
This needs to be fixed either UI wise or via some other method.
Steps to Reproduce
- Log off if necessary
- Request a new password http://example.com/user/password
- Log back in with the old password
- On receiving the password reset email, click on that link to log on
- When you see "Click on this button to log in to the site and change your password.", do so
or just go to /user/%/edit and click on the Request a new password password link and then skip to #4 above.
First, we try and fix this in core in #889772: Following a password reset link while logged in leaves users unable to change their password,
if that gets blocked we may try a workaround here until is fixed there.
Comment | File | Size | Author |
---|---|---|---|
#8 | ChangeYourPassword.png | 116.3 KB | mgifford |
Comments
Comment #1
dddave CreditAttribution: dddave commentedComment #2
dddave CreditAttribution: dddave commentedComment #3
drummSeems like this could be a Drupal core issue? Is there a good way to work around it?
Comment #4
joachim CreditAttribution: joachim commented> The issue seems to be that users try to reset the password/use the one-time log in while still being logged in.
I see that on my sites too, which suggests it's something to fix in core.
Comment #5
mgifford@joachim - can you open up a new issue for this Core issue? It's probably still a bug in D8. I think it would be better to try and solve this before it gets back into D7 Core.
Comment #6
joachim CreditAttribution: joachim commentedLooks like there's this: #889772: Following a password reset link while logged in leaves users unable to change their password. Does that describe the problem people are having on d.org?
Comment #7
mgiffordI don't think so. That seems to just apply to user/1 and not for users that are already logged in. I really did like their clear instructions for how to repeat the problem though.
Comment #8
mgiffordI then get this in email:
I click on the link , I go to my dashboard with a message at the top of it that says "You are logged in as mgifford. Change your password."
I click on the link and I need my current password to change my password. In which case, what was the point of the reset link i just got?
The email should at least say something about logging out...
Comment #9
mgiffordComment #10
joachim CreditAttribution: joachim commentedThat issue probably needs its summary updating -- one of the comments says it's not just about uid 1.
What I don't get about that is why would you do step 3? Indeed, how could you do it if you forgot your password? And if you did 3 because you suddenly remembered it, why would you then do step 4?
Comment #11
mgifford@joachim - Ya.. I was wondering that too. Seems that humans aren't always all that rational.
Maybe if you forgot your password in Chrome, picked up your email, but then opened your default Firefox browser where your password were already saved?
What would be the easiest way to find out how often this is happening? If it's a couple times a year, who cares. If it's a couple times a day, then we should deal with it quickly.
Comment #12
joachim CreditAttribution: joachim commentedI've updated title, summary, & version of #889772: Following a password reset link while logged in leaves users unable to change their password.
Comment #13
YesCT CreditAttribution: YesCT commented#10 asked why someone would do the steps there.
I would suggest those are easy steps to reproduce that we can use while working on the issue. Not a description of how people actually find themselves in the situation.
Comment #14
mgiffordJust adding alternate path via /user/%/edit to the summary.
Comment #15
mgiffordComment #16
kclarkson CreditAttribution: kclarkson commentedWow this seems like a major bug to me. Has there been a backport patch for D7?
Comment #17
mgiffordAs yet there is no patch for this problem.
Comment #18
drumm#889772: Following a password reset link while logged in leaves users unable to change their password Was fixed in core long ago, so this should be fixed on Drupal.org.
Comment #19
drumm