Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By berdir on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
8.1.x
Introduced in version:
8.1.9
Issue links:
Description:
#2515050: A valid one-time login link may be leaked by the referer header to 3rd parties had to make changes to the workflow of the password reset confirmation page/form.
Previously, it was standard form that was immediately displayed on the first page with a submit callback and it was possible to add additional submit and validation callbacks.
Now, a redirect happens to an intermediate page which displays the form. The form submission then happens against a different page which logs the user in. No form processing happens on that page and as a result, submit and validate callbacks are no longer invoked.
To alter the behavior of that page, it is necessary to alter the user.reset.login route and replace the controller.
This might also affect sites that alter the user.reset route.
As a side effect of this change, Drupal 8 now again supports logging in immediately without a confirmation form by appending the path /login.
Impacts:
Site builders, administrators, editors
Module developers
