Summary

If a user does not immediately set a new password after email-resetting an expired account, they get stuck in a loop they cannot get out of without restarting the whole process from scratch.

This looked a lot like #2856878: password expired message still shows upon resetting password via email., but it's actually subtly different, and more a problem of how things work when a user does not follow instructions.

Given a case where:

  • User has not logged in for a while, their password has expired.
  • User has forgotten the password - because that goes together.
  • User visits login at /user, and triggers a password reset.
  • User gets password reset link and is given the "one time login" page. Note: no mention of password expiry yet.
  • Using the one time login, they are taken to their account page.
  • On the account page, they get a GREEN welcome message : "You have just used your one-time login link. It is no longer necessary to use this link to log in. Please change your password."
  • No mention of password expiry.

password should be reset

IF the user follows the suggestion, they should be OK.
IF the user instead attempts to start using the site immediately:
They get bounced back to their account page, with a new RED warning "Your password has expired, please update it"

password cannot be reset

That in itself would be annoying, but what's really a problem now is that
This form now also requires you to enter your old password
... And in this user story, the user doesn't know the old password - thats why they came this route.

They are now in an impossible loop, there is nothing they can do. They just keep getting redirected. They can't even use the rest of the read-only site like a normal user now.
(The form also presents a "reset your password" link in the help text ... and this link is inoperable! - also a bug)

The only escape is to :

  • Log out.
  • Attempt to log in again,
  • Repeat the 'reset your password process from scratch, via email,
  • and next time ensure that the ONLY first thing they do is add a new password like the green box politely suggested.

Solution?

Well, I'm aware of the core security issues that make it necessary to enter the old pass before changing a new one. And this is why only the VERY FIRST visit to the user admin form is allowed to get away with not doing that.
I have seen the problems that can ensue when a contrib module tries to intercept and persist that magic one-time cookie (I believe this is what Legal Module got into trouble for [#2869127])

We cannot stop the user from leaving the page, clicking 'home' or attempting to get on with the job they wanted to do immediately, yet that's where the problem starts.

Proposal: The warning about an expired password that makes the site un-usable should be surfaced earlier and louder.

The 'your password has expired - you MUST change it' should be a warning, in red, on the first two pages - if at all possible.

The team here has also suggested going full 'modal' or taking drastic theme steps to reduce the user page to only its bare components - removing all navigation from it. Those options don't seem to be very correct.

CommentFileSizeAuthor
#18 2884567-revert.patch1.62 KBdaisyleroy
Screen Shot 2017-06-08 at 5.54.57 PM.png67.48 KBdman
Screen Shot 2017-06-08 at 5.51.38 PM.png112.55 KBdman

Issue fork password_policy-2884567

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

dman created an issue. See original summary.

dman’s picture

dman CreditAttribution: dman as a volunteer and at Sparks Interactive commented
Issue summary: View changes
Welsby’s picture

Welsby CreditAttribution: Welsby commented

I'd suggest making the message an red (error), and also adding a window.onbeforeunload javascript hook to warn users who try to navigate away.

Steven Jones’s picture

Steven Jones CreditAttribution: Steven Jones as a volunteer commented
Status: Active » Closed (duplicate)

This is a duplicate of #2856878: password expired message still shows upon resetting password via email. and there's a patch over there.

Watchers on this issue, maybe you could help by testing out the patch please.

Steven Jones’s picture

Steven Jones CreditAttribution: Steven Jones as a volunteer commented
Status: Closed (duplicate) » Active

Apologies!
Just noticed that it's not a duplicate, and you say as much. So sorry!

Steven Jones’s picture

Steven Jones CreditAttribution: Steven Jones as a volunteer commented

Password policy in D7 used to keep the password reset token in the session, so that when it did the redirect back to the change password page, it would include that, resolving the UX issue.

Sophie.SK’s picture

Sophie.SK
she/her
Primary language English
CreditAttribution: Sophie.SK at Access commented

This is becoming a big issue for one of our clients now. Users see their profile in the website theme rather than the admin area, so it's much easier for them to miss the warning that their password needs resetting. Especially since the people who use the site tend to login, make a payment, and leave without editing their profile.

Is there any scope for storing the password reset token in session? Or preventing the page from unloading? Is there another UX solution?

Happy to provide a patch to add a JS alert when unloading the page but it would be good to have a better solution for this.

paulocs’s picture

paulocs
Primary language Portuguese, Brazil
Location Belo Horizonte
CreditAttribution: paulocs at CI&T commented
Assigned: Unassigned » paulocs
Category: Support request » Bug report

Working on it.

paulocs opened merge request !36

paulocs’s picture

paulocs
Primary language Portuguese, Brazil
Location Belo Horizonte
CreditAttribution: paulocs at CI&T commented
Assigned: paulocs » Unassigned
Status: Active » Needs review

Created a merge request that saves the pass-reset-token in the session to check if the user comes from one time login.

Please review...

hmendes’s picture

hmendes CreditAttribution: hmendes at CI&T commented
Status: Needs review » Needs work

Although it is not setting any error message about the expired password (as the original proposed resolution asked), idk if it's really needed, now it looks exactly like core's behavior:

  • You forgot the password, clicks to reset it.
  • Join the site with the one-time-login link.
  • You will be redirected to a page where you can reset your password.
  • You can browse the site, but if you click on your profile to reset the password, you would have to enter the old password again, so, basically, you would have to ask for another one-time-login link.

Because of this behavior where the user must ask for another one-time-login link to reset the password if it browsers the site without resetting the password the first time, i don't think we need to set a message telling that the password has expired, because one of 2 things can happen: the user remembers the password, and when we logs in the website, it will ask him to update the password, or eventually he will reset the password with the one-time-login link, and of course, he's already setting a new password, so it will not be expired.

BUT.... there's one problem after applying the MR:
Steps:

  • Create an user, and check the Password Expiration checkbox
  • Log out and click on the Reset your Password tab
  • Join using the one-time-login link
  • Go to the home page without changing your password (with the applied MR you can do this now)
  • Now log out again and try to log in normally
  • You'll be redirected to your account page with a message telling you that your password is expired
  • BUT, you can go to the home page even having your expired password(The same pages that you visit while having the one-time-login link, are the same pages that you'll be able to visit on your normal login)
paulocs’s picture

paulocs
Primary language Portuguese, Brazil
Location Belo Horizonte
CreditAttribution: paulocs at CI&T commented
Status: Needs work » Needs review
hmendes’s picture

hmendes CreditAttribution: hmendes at CI&T commented
Status: Needs review » Reviewed & tested by the community

Now the bug is gone, thanks.
Changing this to RTBC.

  • paulocs committed 5be9d92 on 8.x-3.x 
    Issue #2884567 by paulocs, dman, Steven Jones, hmendes, Welsby, Sophie....
paulocs’s picture

paulocs
Primary language Portuguese, Brazil
Location Belo Horizonte
CreditAttribution: paulocs at CI&T commented
Status: Reviewed & tested by the community » Fixed

Thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

ericdsd’s picture

ericdsd CreditAttribution: ericdsd commented

I see that the point of @hmendes at #11 was ignored but i think his point is worth being discussed. And could possibly be worth adding an option to choose one behavior or another instead of simply adopting the current behavior that lets users with expired password fully use the site when using password reset (without really changing their pass).

daisyleroy’s picture

daisyleroy CreditAttribution: daisyleroy commented
FileSize
2884567-revert.patch1.62 KB

Hello,
Here a patch allowing this functionality to be rolled back for those who would like to keep the user/edit redirection with the one-time-login link

( works also with the release 4.0.0)

Kristen Pol’s picture

Kristen Pol
she/her
Primary language English
Location Santa Cruz, CA, USA
CreditAttribution: Kristen Pol at Salsa Digital for govCMS (Australian Government Department of Finance) commented

Please open a new issue for any additional work as this issue is marked closed/fixed. You can link to this one. Thanks.