Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.When a person uses a one-time login link in order to reset her password and she is already logged in to that site, then she won't be able to reset her password. In Drupal 7, you need to know your current password in order to create a new password. The exception to that is by generating a one-time log-in. But the succssful use of that log-in depends on the person being logged out of the site when the link is used.
I propose a solution which gives a drupal_set_message of type "warning" with descriptive text and a logout link:
drupal_set_message(t('You are logged in as %user. You need to be <a href="!logout">logged out</a> in order to initiate a password change via an email link. After <a href="!logout">logging out</a>, go back to your email and click on the log-in link again there.', array('%user' => $user->name, '!logout' => url('user/logout'))), 'warning');
Shai
Comments
Comment #0.0
Shai commentedI added clarity on the problems with "Reset password" on the user/edit page.
Comment #0.1
Shai commentedtypo, changed "rest" to "reset"
Comment #0.2
Shai commentedformatting: in a long post, I want to make my proposed solution stand out more.
Comment #1
Shai commentedHere is a patch.
Comment #2
Shai commentedChanging status to needs review so the bot will test it.
Comment #2.0
Shai commentedSilly me, I can't put a strong tag inside code tags.
Comment #2.1
Shai commentedTotal simplification and rewrite of this issue... since it hasn't gotten any attention yet, I felt fine in doing that and hoping the shorter text will be more inviting for people to join in.
Comment #2.2
Shai commentedput the actual code I put in the patch.
Comment #3
Nephele commentedFYI, this overlaps significantly with #75924: Include fields for resetting password on the one-time password reset page, although I'm guessing it qualifies as a minimal bug fix separate from the refactoring being done there.
I agree that this message needs to be reworded because it is incorrect. I've reviewed and tested the patch and think it fixes the problem. Instead of adding a backport-to-d7 tag, I'm adding a d7 version of the patch (alternatively, the d8 patch can be applied using -p2 instead of -p1).
Comment #4
catchHmm if the link validates, can't we log them out on this screen rather than giving instructions?
Comment #5
Shai commented@catch, +1, much better fix proposed than the patch.
Comment #6
Nephele commentedI'm just not sure that it makes sense to tackle anything more significant than improving the message in the context of this issue.
There's already an effort to revamp the whole password-reset feature (#75924: Include fields for resetting password on the one-time password reset page), so that's where I think larger-scale changes should be addressed. However, that's not going to get implemented until at least 8.x. In the meantime, fixing the message is a change that can be incorporated into both 7.x and 8.x to help current drupal users who encounter this problem.
Comment #7
FSheFF commentedThe issue is that if users leave the edit tab on their account without changing their password the session key is abandoned and upon return they then see the current password challenge. That challenge can be removed in 7 via the No Current Pass module. Works quite well.
Comment #8
Shai commented@FSheff,
I don't think dissabling the current password requirement is a good solution. This was a great improvement in Drupal. Just turning it off with a module, isn't a solution, when there are much betters ways to truly solve the problem.
I agree with Nephele that committing this patch and backporting to 7 would simply put us in a better place to do a more sophisticated solution that other people are already working on. But with this fix in place, we will at least prevent a lot of hair pulling for people who run into this bug.
Shai
Comment #9
andymartha commentedAccording to Nephele's comment in #6, "I'm just not sure that it makes sense to tackle anything more significant than improving the message in the context of this issue."
In a fresh installation of Drupal 8.x-dev from March 6, 2013, I was able to recreate the login loop/bug described in the issue. If you are logged in, you can't change your password. See screenshots.
After applying patch drupal-one_time_pw_message_when_logged_in-1872404-1.patch in #1 by Shai, the message changed to include links to logging out and a much clearer description. I was able to change my password from the email. See screenshots. The patch does as described for me.
Comment #10
dries commentedI don't understand. If you are logged in, why would you want to reset your password using a password reset link? Care to elaborate on the use case?
Comment #11
Shai commentedDries and all,
Here is the most common case:
Some time ago, user x tried Chrome for the first time and loves it. Then she navigates in Chrime to a Drupal site example.com where she has an account. But she doesn't remember her password. She initiates the password reset process and she receives the one-time log-in in her email. Her default browser on her computer is Firefox and so the link launches Firefox. On example.com she still has an active session in her Firefox browser.
This scenario is not uncommon and really frustrating in D7. The user typically has no clue it is related to her change in browsers or the default browser setting.
Hope that helps.
Shai
Comment #12
webchickHm. #75924: Include fields for resetting password on the one-time password reset page doesn't look like it's had a patch since Nov 2012, so not sure it makes sense to hold up anything on that. I don't see why catch's suggestion wouldn't be backportable to D7. In fact, it's arguably more backportable, since a string change in such a user-facing area of the site can be problematic in stable releases.
Comment #13
webchickOh, FWIW I've totally hit the use case in #11 myself before numerous times and it'd be nice to fix it. :)
Comment #14
webchickAlso, if we change the behaviour here, this will need automated tests.
Comment #15
Shai commented@webchick,
I've never written a test before. What would be required in this case?
Anyone following this thread know what is required here re: testing?
Shai
Comment #16
thehong commentedComment #18
thehong commented#16: 8-1872404.diff queued for re-testing.
Comment #18.0
thehong commentedchanged from code to php
Comment #19
xan.ps commentedThe patch submitted looks good. RTBC.
Comment #20
ggevalt commentedThis is an interesting discussion. It is one year old and applies to Drupal 8, yet there are lots of unresolved conversations about this same issue in D7 and D6 and D5 and D4. We are in D6… we have tested all sorts of solutions presented to this ( https://drupal.org/node/884458 … https://drupal.org/node/693516 … https://drupal.org/node/807804 … https://drupal.org/node/877550 … are a few) and it appears that it is related to Firefox, but perhaps not. In our case, anyone using a Firefox browser will not be able to reset the password or be able to log in after verifying a new account. They go to the link, they click "login" on their one-time login and they get an access denied message. This is a huge problem for our site
It appears that, at the moment, there is a problem in that Firefox does not log you out properly. Beyond that, we can't figure out the problem. But this seems to be a much larger issue related to core in lots of iterations. I've found references to this problem all the way back to D4.
We have been affected by this bug for many years in D4, D5 and D6. And now, it appears, it has appeared in D8 still unresolved.
I would love it if someone at this level really looked at what is going on. It is related to cookies and how Drupal handles them and how the browsers handle them and that seems pretty important.
thanks,
g
Comment #21
joachim commentedI could have sworn that I've seen a duplicate of this issue, and even possibly uploaded a patch (for D7) to it, but I can't find it! :(
Comment #22
joachim commentedAh, it's #889772: Following a password reset link while logged in leaves users unable to change their password.
That issue has a D8 patch with a different approach.
Comment #23
jhedstromMarking this a duplicate of #889772: Following a password reset link while logged in leaves users unable to change their password as mentioned in #22. That issue has a test, and needs review.