I've configured LoginToboggan to allow the user to login before they've verified their email. But if the user clicks on the link in the email that arrives while still logged in, the whole thing fails.

Their experience goes like this:
1) You go to the site.
2) You register, creating a new account.
3) The system automatically logs you in, assigning you the pre-authenticated user role.
4) You use the site, stay logged in.
5) You get an email with a link, you click the link.
6) You go to the site, where you are already logged in. The system tells you “You are logged in as [username]. Change your password.” This is confusing. You wonder "why do I need to change your password? I just created it."
7) You do nothing else. You've click on the link. You think you are done.
8) Meanwhile the email for your account has not been validated. Presumably your account will be deleted in a week. (Not confirmed).
9) If you do wonder if your account was validated properly, and try again while logged in, you get the exact same result.
10) If you log out, and click the link again, the system tells you the link has already been used & won't work anymore.

It's very likely that users will not properly validate their emails. (And their accounts will get deleted?) A mess.

If a user logs out before clicking on the link in the email, then everything works just fine — they are promoted from pre-authenticated user to authenticated user.

Instead, the link in the email should validate the account whether they are logged in or out.

Comments

Gemini Lights’s picture

Gemini Lights commented

To configure account registration with immediate login and email verification you need to change the URL token that's being sent by email. By default it's using a password reset token, not the account validation token.

- Go to admin/config/people/accounts
- Under Emails select Welcome (no approval required)
- Remove [user:one-time-login-url] and use [user:validate-url] instead.

Here is an example:

Subject
Take Action: Verify Your Registration for [site:name]

Body
Thank you for registering at [site:name].
Please click on the link below to verify your registration.

[user:validate-url]

If clicking the link above does not work, copy and paste the URL in a new browser window instead.

If you have received this mail in error, you do not need to take any action.

Kind regards,

The [site:name] Team

You can find more tokens in the link below the body.

Also I'm assuming you have LoginToboggan configured as follows:

Set password enabled
Non-authenticated role provided

Immediate login enabled or disabled is up to you.

Hope that helps.

jensimmons’s picture

jensimmons commented
Category: bug » support
Status: Active » Fixed

That totally helped! Even though I read all the documentation for LoginToboggan, I didn't realize that there are different tokens and I needed to swap them out.

Thanks.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

(not verified) commented
Issue summary: View changes

fixing punctuation

stevenx’s picture

stevenx commented

This Issues should get listed in the FAQ and the Readme of LoginToboggan
I lost a total day on this issue just thinking the rule did not work and trying to solve this until i found this issue

HFlame7’s picture

HFlame7 commented

Agree that this solution should be more publicly talked about.

Thanks for it!

118218’s picture

118218 commented

Thank you I had same issue there!

sharif.tanveer’s picture

sharif.tanveer commented

if I change the token to validate url, it still throwing an error.

"Sorry, you can only use your validation link once for security reasons."

I've cleared all cache, but no result :(

Azrael256’s picture

Azrael256 commented

Yep, same here. I get the same error message. The problem can be avoided if the user does not connect after registering and before email validation, so disabling the autoconnect feature is a work-around, but then one has to hope the user does not try to manually connect before validating the email address, so obviously not an optimal situation.

firnas’s picture

firnas commented

@sharif.tanveer, @Azrael256: I had the same issue, and eventually found out that it is related to this issue https://www.drupal.org/node/2455049 .
This issue will happen if you are using drupal core version 7.35.

MarcusTis’s picture

MarcusTis commented

above issue did not resolve my problem. I am running 7.39 and error still

"Sorry, you can only use your validation link once for security reasons."

firnas’s picture

firnas commented

@MarcusTis: Are you using logintoboggan version 7.x-1.5 ?

Larsp1’s picture

Larsp1 commented

@Firnas Yes the site MarcusTis refers to runs LoginToboggan 7.x-1.5. One detail about the site is that it is currently not possible to update CTools beyond 7.x-1.2. I am not sure if this could affect the LoginToboggan behaviour. I tried using verification links for new users that were either a) logged in when using the link or b) not logged in (new links for each of those users) and both resulted in the same response as MarcusTis gets above.