When a logged-in user confirms his account by clicking the verify link, a new session is started.
By restarting the session, all calls to drupal_get_token() generate another token, causing open forms by the user to be invalid.

Comments

sandervd’s picture