Like the title says.. when I have the latest release or the latest dev of phpass installed, my users cannot reset their password. They receive the email with the one-time login link, but when they click login, it just loops.

Same problem with both MD5 and phpass options in user settings.

Any ideas on a fix?

Comments

jmseigneur’s picture

I confirm the same issue with 6.x-1.1 and both md5 and secure pass options in users settings.

pwolanin’s picture

Status: Active » Postponed

About to mark 1.x as unsupported as soon as 2.x is working fully with an update path. Let's re-evaluate then.

BogenDorpher’s picture

Ok same problem with 2.x Beta1,

This is the one-time login link that is emailed to the user: http://www.sitename.com/?q=user/reset/27/1310892432/d1ddb57dd8aa420984ca...

When the user clicks it, it doesn't work. However, if you edit the link to be like this, it will work:

http://www.sitename.com/?q=user/reset/27/1310892432/d1ddb57dd8aa420984ca...

Looks like the redirect to change the password causes this problem. I don't have any login redirect modules installed, only Change Password.

pwolanin’s picture

I'm not sure where that destination query string is combing from. That's not something in core, so must be added by some other module you are using.

BogenDorpher’s picture

Ok disregard, I figured out the problem. Looks like the Change Password module causes a conflict with Phpass. More specifically, this piece of code at the bottom of Change Password:

/**
 * Implementation of hook_form_FORM_ID_alter()
 */
function chgpwd_form_user_pass_reset_alter(&$form, &$form_state) {
	if (module_exists('me')){
		$form['#action'] = $form['#action']. "?destination=user/me/edit/chgpwd";
	}else{
		$form['#action'] = $form['#action']. "?destination=user/{$form['#parameters'][2]}/edit/chgpwd";
	}
}

I deleted that code and now users can reset passwords just fine.

pwolanin’s picture

Title: users cannot reset password when running phpass module » users cannot reset password when running without clean URLs
Project: Secure Password Hashes » Change password
Priority: Critical » Major
Status: Postponed » Active

Looks like a bug there - it should not be directly appending a query string with "?"