Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Using latest Ubercart 3 under D7.43.
When an anonymous user completes a purchase, they receive two emails: one order notice, and one welcome with one-time password link to log in and set their account password.
The one-time link when followed ALWAYS gives the red "You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below" message.
Using the suggested 'form below' to send another one-time link sends an email containing a one-time link that works correctly, granting access to the account.
Notes:
* Anonymous user selects their own username and password in the checkout (not sure if that's causative or not, have not tried letting Ubercart set dummy values).
Just ask if more info needed.
Comments
Comment #2
TR CreditAttribution: TR commentedPerhaps this is caused by the same problem you had in #2738745: Anonymous buyer sent Home, not to Order Completed page?
Comment #3
neilsky CreditAttribution: neilsky commentedSadly, not the same cause: this problem remains. I added an exception to NOT redirect from /user/reset/* paths, but the error remains precisely the same.
Further Ubercart testing:
Manual reset always works
If a user *manually* requests one-time reset access through the Drupal core password reset mechanism, the email reset link works as expected.
Logged in for order always works
If the user is logged in when placing the order, the account exists and there is no issue with setting or resetting passwords.
Not logged in for order gives bad one-time link
There is an incompatibility between the Drupal core login manager and what Ubercart does. If the user is not logged in when completing their order, they receive TWO emails. The first email is the Order email from Ubercart. Buried in this email is a paragraph telling the (new) user their username AND password: the password text is "Your password" if the user selected their own, but the ACTUAL password if Drupal auto-generated it. These credentials correctly effect a manual login.
As an aside, it is my view that security-wise, login credentials do NOT belong in an Order email, as that paperwork is likely to go to accountants/others for recordkeeping/tax purposes. Login credentials would be better sent as a separate email (if at all--given the one-time login system is to avoid sending login credentials via unsecure email).The user also receives a second email to advise that they have a new account. This garners user attention: while they are EXPECTING the Order email as a record of the transaction, they may NOT expect the New Account email sent by Drupal core (and which contains the bad one-time login link) and are therefore prompted to pay attention and follow its instructions, despite having a username and password already reported in the Order email.
Following the one-time link
If the user follows the Drupal core one-time email link while they are still logged in from the purchase, then they see a Drupal admin message that they are already logged in, with an embedded link to go change their password. The password change window then requires them to enter their EXISTING password in order to set a new one. The existing password is in the Order email, but they probably haven't noticed it. At this point they are stumped and frustrated.
If the user follows the one-time email link while they are NOT logged in, then they see the error message stating that the link is invalid or has already been used (the original reported error for this ticket), and are optionally directed to request one-time recovery access. That is hardly elegant, but at least is less confusing and frustrating than the still-logged-in sequence.
Notes: The following additional relevant Modules are installed and active:
* Login Destination (which is set to NOT redirect from any /cart or /user/reset pages)
* Login Toboggan (Rules and Variables both active; Content Access is not because that module is not installed; Registration Toboggan is not active)
Temporary workaround
I have written new user instructions on the Ubercart Order Complete page to guide the user so that hopefully they don't get confused.
Suggestion
Drupal core should include a one-time link instruction in new-account emails ONLY for new accounts that actually need to choose their own password: i.e. did NOT select their own password when creating the account.
Comment #4
fonant CreditAttribution: fonant commentedFor what it's worth I have a similar problem with Drupal core's password reset system.
In my case the person requesting the reset seems to be using a corporate email system that follows links contained in emails. So the email scanner consumes the one-time login link, so the recipient of the message can't.
The system that was following the one-time link belongs to https://www.mimecast.com/.
Comment #5
MichaelGreisman CreditAttribution: MichaelGreisman commentedI've tested this extensively using my own email accounts; it is definitely reproducible. My condensed description repeats some of Neilsky's entry, but is hopefully useful.
The one-time link generated for the Ubercart account-info email never works, resulting in the error message "Sorry, you can only use your validation link once for security reasons. Please log in with your username and password instead now."
I have these options enabled:
[x] Allow new customers to specify a username
[x] Allow new customers to specify a password.
While testing, I am specifying a username and password.
[x] Send new customers a separate e-mail with their account details.
[x] Set new customer accounts to active.
and this one left disabled:
[] Log in new customers after checkout.