Hi all,

I have disabled and uninstalled LoginToboggan and found that the login authentication email works fine, but when the module is active the email authentication doesn't work.

I fill in the registration form as follows:

Forename: Test
Surname: Test
Username: Test
Email address: [email]@gmail.com
Password: testing
Confirm password: testing
Organisation: Bloggs

And receive the following message: "A validation e-mail has been sent to your e-mail address. In order to gain full access to the site, you will need to follow the instructions in that message."

The /user/reset/... email link comes through immediately, the link redirects to the user/password page and has the following message: "You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below."

Entering the email address below does finally let the user in after a second confirmation email, but I don't know why this one-time login is always invalid. Could anyone help?

Thanks.

Settings

Allow users to login using their e-mail address - Enabled
Present a unified login/registration page - Unticked
Use two e-mail fields on registration form - Disabled
Set password - Ticked
Non-authenticated role - Unconfirmed
Delete unvalidated users after - Never delete
Immediate login - Unticked
Redirect path on registration - Empty
Redirect path on confirmation - Empty
Override destination parameter - Ticked
Present login form on access denied (403) - Enabled
Display login successful message - Disabled
Minimum password length - 5

Comments

tmwagner’s picture

Priority: Major » Critical
StatusFileSize
new35.23 KB

I'm experiencing the same problem. Even more interesting is the fact that request for a new password generates the same kind of email; one with a one time link. And that one works...

Screenshot of error message attached

tmwagner’s picture

StatusFileSize
new58.38 KB

Addendum: In my recreation of the problem, I'm seeing the following:

First; Logintoboggan is configured to
Allow users to log in with email address
Two email fields disabled.
"Set Password" enabled.
"Immediate Login" enabled.

The behavior is at first, as expected; the user is logged in with chosen password. Email is sent indicating that the account needs to be validated

And this is where things break down. Email contains link to reset password. This is NOT the expected behavior. If I just set my password via the option selected above, why would I get an email for a password reset.

And, not too surprising, the link in the email doesn't work (e.g., the resulting error message indicates that the link link has already been used - which isn't true).
That error is coming from this code in core user.pages.inc (Last line)

   if ($timestamp <= $current && $account = reset($users)) {
      // No time out for first time login.
      if ($account->login && $current - $timestamp > $timeout) {
        drupal_set_message(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'));
        drupal_goto('user/password');
      }
      elseif ($account->uid && $timestamp >= $account->login && $timestamp <= $current && $hashed_pass == user_pass_rehash($account->pass, $timestamp, $account->login)) 

There is nothing wrong with this code - but the function shouldn't be called.

As an aside, we are using the same strategy and modules on a D6 site. Logintoboggan works as it should there...

carlnewton’s picture

Ah, glad it's not just me then. Is anyone able to patch?

carlnewton’s picture

Has anyone found a way of resolving this?

carlnewton’s picture

Bump!

tmwagner’s picture

With a touch of custom code (custom code that does not hack the contrib code)

carlnewton’s picture

Great! Could you paste it here please? I don't know how contributing code works, but presumably it should also be added to the module.

donwinchell’s picture

As per #2
"And this is where things break down. Email contains link to RESET password. This is NOT the expected behavior. If I just set my password via the option selected above, why would I get an email for a password reset."

I am not having the other problems about not being logged in after following the email link but the work-flow that requires a user who has just set a password to re-set it does not seem correct.
Is this the intended work-flow by design LT ?

I have tried to use user_registrationpassword with LT but the two don't seem to work together (I get a verification email from each). But user_registrationpassword does provide what I consider a nice workflow. set password > receive link in email > click link > be returned the website as a logged-in user with no need to re-set the password.

Why don't I just use user_registrationpassword and call it good? Because LT has bunch of other really great features that I want. BUT, user_registrationpassword may be the perfect solution for someone.

But my question, and #2's question remain, is this the intended work-flow for LT: register and create password > receive one-time link in email > click link > return to website > be forced to reset a password that you just set minutes ago

Another thanks for all the good work done by all in creating these modules.

yannisc’s picture

Status: Active » Fixed

I had the same problem, but I found out that I just had to edit the confirmation email (from admin/config/people/accounts) and change the reset password link ([user:one-time-login-url]) with the validate account link ([user:validate-url]).

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

ChrisValentine’s picture

Yes, I found exactly the same - you can misconfigure it so that new users receive two emails with two different URLs, one of which effectively disables their new account.

Unfortunately although the "correct" URL works and the account becomes valid, the page it lands you on is the core "Reset password" page which is very misleading to new users. There doesn't appear to be any way to either customise this page and neither of the LT "Redirect path on confirmation" or "Override destination parameter" are of any help.

Gemini Lights’s picture

By default the URL in the email is set to reset password, not validate account.

Please see this comment to fix the account activation issue:

http://drupal.org/node/2003778#comment-7463486

Gemini Lights’s picture

Issue summary: View changes

Update for clarity

ojchris’s picture

@Gemini Lights: Though written six years ago, your recommendation still works! Amazing