Summary
If a user does not immediately set a new password after email-resetting an expired account, they get stuck in a loop they cannot get out of without restarting the whole process from scratch.
This looked a lot like
#2856878: password expired message still shows upon resetting password via email. β
, but it's actually subtly different, and more a problem of how things work when a user does not follow instructions.
Given a case where:
- User has not logged in for a while, their password has expired.
- User has forgotten the password - because that goes together.
- User visits login at /user, and triggers a password reset.
- User gets password reset link and is given the "one time login" page. Note: no mention of password expiry yet.
- Using the one time login, they are taken to their account page.
- On the account page, they get a GREEN welcome message : "You have just used your one-time login link. It is no longer necessary to use this link to log in. Please change your password."
- No mention of password expiry.
IF the user follows the suggestion, they should be OK.
IF the user instead attempts to start using the site immediately:
They get bounced back to their account page, with a new RED warning "Your password has expired, please update it"
That in itself would be annoying, but what's really a problem now is that
This form now also requires you to enter your old password
... And in this user story, the user doesn't know the old password - thats why they came this route.
They are now in an impossible loop, there is nothing they can do. They just keep getting redirected. They can't even use the rest of the read-only site like a normal user now.
(The form also presents a "reset your password" link in the help text ... and this link is inoperable! - also a bug)
The only escape is to :
- Log out.
- Attempt to log in again,
- Repeat the 'reset your password process from scratch, via email,
- and next time ensure that the ONLY first thing they do is add a new password like the green box politely suggested.
Solution?
Well, I'm aware of the core security issues that make it necessary to enter the old pass before changing a new one. And this is why only the VERY FIRST visit to the user admin form is allowed to get away with not doing that.
I have seen the problems that can ensue when a contrib module tries to intercept and persist that magic one-time cookie (I believe this is what Legal Module got into trouble for [#2869127])
We cannot stop the user from leaving the page, clicking 'home' or attempting to get on with the job they wanted to do immediately, yet that's where the problem starts.
Proposal: The warning about an expired password that makes the site un-usable should be surfaced earlier and louder.
The 'your password has expired - you MUST change it' should be a warning, in red, on the first two pages - if at all possible.
The team here has also suggested going full 'modal' or taking drastic theme steps to reduce the user page to only its bare components - removing all navigation from it. Those options don't seem to be very correct.