Fix the password reset process

Seems like this could be a Drupal core issue? Is there a good way to work around it?

> The issue seems to be that users try to reset the password/use the one-time log in while still being logged in.

I see that on my sites too, which suggests it's something to fix in core.

@joachim - can you open up a new issue for this Core issue? It's probably still a bug in D8. I think it would be better to try and solve this before it gets back into D7 Core.

Looks like there's this: #889772: Following a password reset link while logged in leaves users unable to change their password. Does that describe the problem people are having on d.org?

I don't think so. That seems to just apply to user/1 and not for users that are already logged in. I really did like their clear instructions for how to repeat the problem though.

1. Log off if necessary
2. Request a new password
3. Log back in with the old password
4. On receiving the password reset email, click on that link to log on
5. When you see "Click on this button to log in to the site and change your password.", do so

I then get this in email:

mgifford,

A request to reset the password for your account has been made at Drupal.org.

You may now log in to drupal.org by clicking on this link or copying and
pasting it in your browser:

https://drupal.org/user/reset/abunchofrandomcharacthers

This is a one-time login, so it can be used only once. It expires after one
day and nothing will happen if it's not used.

After logging in, you will be redirected to
https://drupal.org/user/27930/edit so you can change your password.

Attention: The username on Drupal.org is case sensitive.

I click on the link , I go to my dashboard with a message at the top of it that says "You are logged in as mgifford. Change your password."

I click on the link and I need my current password to change my password. In which case, what was the point of the reset link i just got?

The email should at least say something about logging out...

That issue probably needs its summary updating -- one of the comments says it's not just about uid 1.

1 Log off if necessary
2 Request a new password
3 Log back in with the old password
4 On receiving the password reset email, click on that link to log on
5 When you see "Click on this button to log in to the site and change your password.", do so

What I don't get about that is why would you do step 3? Indeed, how could you do it if you forgot your password? And if you did 3 because you suddenly remembered it, why would you then do step 4?

@joachim - Ya.. I was wondering that too. Seems that humans aren't always all that rational.

Maybe if you forgot your password in Chrome, picked up your email, but then opened your default Firefox browser where your password were already saved?

What would be the easiest way to find out how often this is happening? If it's a couple times a year, who cares. If it's a couple times a day, then we should deal with it quickly.

I've updated title, summary, & version of #889772: Following a password reset link while logged in leaves users unable to change their password.

#10 asked why someone would do the steps there.
I would suggest those are easy steps to reproduce that we can use while working on the issue. Not a description of how people actually find themselves in the situation.

Just adding alternate path via /user/%/edit to the summary.

Wow this seems like a major bug to me. Has there been a backport patch for D7?

As yet there is no patch for this problem.

#889772: Following a password reset link while logged in leaves users unable to change their password Was fixed in core long ago, so this should be fixed on Drupal.org.