Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By roderik on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
7.x
Introduced in version:
7.79
Issue links:
Description:
The password reset confirmation form, which used to display at a path like user/reset/<user-id>/<timestamp>/<hash>, now redirects to the new path user/reset/<user-id>/<timestamp>/confirm before displaying. This is done to prevent the hashes being exposed in HTTP Referer headers.
In addition, the HTTP response which displays the form now includes a header "Cache-Control: no-store", to prevent anyone from being able to log in by going back to this form in a browser's history.
Impacts:
Module developers
Comments
Can no longer reset passwords
This seems to interfere with password reset (maybe only when used in conjunction with the require login module). Resetting password now results in "You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below."
After removing 'require login
After removing 'require login' module. Still get the same behaviour. The behaviour seems related to 'Password Reset Landing Page (PRLP)' module because of this change.
https://www.drupal.org/project/prlp/issues/3208362
So the issue was down to the
So the issue I was having was down to trying alter the user_pass_reset form which is no longer possible without a patch it seems. The alter was in the "Password Reset Landing Page (PRLP)" module. Hopefully this will be addressed in core. I can imagine it might break a few sites.
Newly introduced $_SESSION['pass_reset_hash'] doesn't allow to alter user_pass_reset form
https://www.drupal.org/project/drupal/issues/3208600
The PRLP module also needs patching as mentioned here:
One-time login not working
https://www.drupal.org/project/prlp/issues/3208362
Also having problems with password resets
Thank you, mistergroove. I guess I can at least deactivate the module until there's a fix.