Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Even if I configure a fast login token to be used more than once, it is impossible.
It seems that each time user logs in, new tickets are created and previous tickets expire - no matter whether user logs in from a token or not (which means that if user logs in without a token, this token expires).
This might be the problem of Login Ticket API, but I wonder if it's not the Fast Login Token that is supposed to change default API behavior.
Comments
Comment #1
amorsent commentedThis is due to the following:
fastlogin_token_values() implementation calls loginticket_create() which in turn makes sure there is only one valid loginticket per uid-purpose. Existing tickets are expired.
Since token module doesn't lazy load the token replacements, we're essentially invalidating old tickets and creating new ones whenever ANY module asks for user token values regardless of whether the fastlogin token is actually used or not.
I think this approach is fatally flawed at best, and arguably a security issue since this can potentially lead to a HUGE amount of unnecessary logintickets just laying around.