This patch fixes the bug that the account activation link was not a one-time link, but rather allows one to log in as many times as liked.
The fix is extremely small. Just change line 763 in logintoboggan.module from this:

$hashed_pass == logintoboggan_eml_rehash($account->pass, $timestamp, $account->mail)) {

into this:

$hashed_pass == logintoboggan_eml_rehash($account->pass, $timestamp, $account->mail) && !$account->login) {

This patch is in response to http://drupal.org/node/330223. I'm submitting it as a separate issue because my patch is for version 5.x-1.3, not the 6.x line, but I suppose the fix will be extremely similar in the 6.x version.

CommentFileSizeAuthor
logintoboggan.module.patch915 bytesBodo Maass

Comments

hunmonk’s picture

Status: Needs review » Closed (duplicate)

this was fixed in #291001: Allow One Time Login To Be Used Only Once. i just re-tested, and it works flawlessly for me. marking this issue as a duplicate.