Problem/Motivation

Deleting a user account while requiring email confirmation creates a one time link that is emailed to the user. The one time login link uses the user last login date as part of it's hash, so if the user logs out the logs back in during the process, the link automatically invalidates.

Steps to reproduce

* Create an account.
* Log in.
* Request to delete the account.
* Log out.
* Log back in.
* Click email link.

Proposed resolution

I can see the value in having `$account->getLastLoginTime()` for password resets, but don't understand why it would form part of the hash for
account deletion requests. I would suggest refactoring the one time password hashing method, so that there's an option to generate a hash without getLastLoginTime() for scenarios such as account deletion.

Remaining tasks

Yes

User interface changes

No

API changes

TBD

Data model changes

TBD

Release notes snippet

TBD

Comments

amartin_csm created an issue. See original summary.

quietone’s picture

quietone commented
Version: 10.2.x-dev » 11.x-dev

Fixes are made on on 11.x (our main development branch) first, and are then back ported as needed according to our policies. Also, 10.2 is in security mode now.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.