As I was looking at a website logs, I noticed some errors in Core (#2568673: user_pass_rehash() checks field "login" as a string instead of an integer) and that error led me to think that the 3rd parameter of user_pass_rehash() was the email address of the user.

Not at all, it is the "login" field which represents the timestamp of the last user login attempt. So all your calls to your function named logintoboggan_eml_rehash() are wrong. They need to specify $account->login and not $account->mail.

I would also suggest you pass $account->uid as the new 4th parameter:

function logintoboggan_eml_validate_url($account){
  $timestamp = time();
  return url("user/validate/$account->uid/$timestamp/". logintoboggan_eml_rehash($account->pass, $timestamp, $account->login, $account->uid), array('absolute' => TRUE));
}

function logintoboggan_eml_rehash($password, $timestamp, $login, $uid) {
  return user_pass_rehash($password, $timestamp, $login, $uid);
}

There are "many" locations where you call logintoboggan_eml_rehash() so you want to make sure to fix all of them.

CommentFileSizeAuthor
#3 logintoboggan-user-pass-hash-param-2568677.patch2.02 KBsagannotcarl
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

AlexisWilke created an issue. See original summary.

sagannotcarl’s picture

sagannotcarl CreditAttribution: sagannotcarl as a volunteer commented
Version: 6.x-1.x-dev » 7.x-1.x-dev
Related issues: +#2997772: Validation url is incorrect if user has uppercased email, +#2455049: Various one-time-login and validation links don't work with Drupal 6.35+
sagannotcarl’s picture

sagannotcarl CreditAttribution: sagannotcarl as a volunteer commented
FileSize
logintoboggan-user-pass-hash-param-2568677.patch2.02 KB

I am still experiencing intermittent issues with the email validation url. At first I thought it was the same issue talked about on the project page about being compatible the drupal core changes to `user_pass_rehash` but version 1.5 didn't fix the issue for me.

I think that this old issue is actually still happening. I'm not sure why the current release still has the user email as the third parameter of `user_pass_rehash`. Here is a patch that fixes it to use the correct parameter.

I haven't tested it explicitly but I'm guessing that this patch would fix #2997772: Validation url is incorrect if user has uppercased email also.