The Needs Review Queue Bot → tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".
Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.
Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.
- Status changed to Needs review
almost 2 years ago 12:32pm 27 February 2023 - 🇮🇳India sahil.goyal
Reroll the patch as #14 is not getting applied to the current version so rerolled the patch to make it compatible and attaching reroll_diff.
The last submitted patch, 21: 2969406-21.patch, failed testing. View results →
- 🇮🇳India Aadhar_Gupta
Giving a new patch for 10.1 as provided patch in #21 failed
The last submitted patch, 23: 2969406-23.patch, failed testing. View results →
- Assigned to rassoni
- Status changed to Needs work
almost 2 years ago 3:51pm 1 March 2023 - Issue was unassigned.
- Assigned to urvashi_vora
- 🇮🇳India urvashi_vora Madhya Pradesh, India
Providing a patch for 10.1.x as Patch #23 failed.
Please review.
Thanks.
- Issue was unassigned.
- Status changed to Needs review
almost 2 years ago 10:08am 2 March 2023 The last submitted patch, 28: 2969406-27.patch, failed testing. View results →
- First commit to issue fork.
- 🇮🇳India Ranjit1032002
Created MR for the issue, please review.
Thank you.
- First commit to issue fork.
- Status changed to Needs work
almost 2 years ago 3:37pm 17 March 2023 - 🇬🇧United Kingdom AaronMcHale Edinburgh, Scotland
Usability review
We reviewed this issue at 📌 Drupal Usability Meeting 2023-03-17 Fixed .
That issue will have a link to the recording, for the record the attendees were: myself, @rkoller, @simohell, @shaal and @blackbamboo.
After considering several options, we recommend the following text for the message:
You have logged in with your one-time login link. Set your new password now, it is not possible to use this link a second time.
- Status changed to Needs review
over 1 year ago 6:23am 19 March 2023 - Status changed to RTBC
over 1 year ago 12:07pm 19 March 2023 - 🇨🇦Canada alberto56
I know a lot of people who use one-time login links to log in all the time and never change the password (and have forgotten it long ago). "Set your new password now" gives the impression that you have to set the new password in order to continue, when in fact you can set your new password, but you don't have to. Perhaps "You can set your new password now" would be more appropriate than "Set your new password now".
- Status changed to Needs review
over 1 year ago 4:35am 3 April 2023 - Status changed to Needs work
over 1 year ago 10:01pm 8 April 2023 - 🇺🇸United States smustgrave
To keep this moving I don't see an issue with updating to "You can set your new password"
Though not sure about the one-time login approach. Seems to bypass all the password security.
- 🇬🇧United Kingdom AaronMcHale Edinburgh, Scotland
Sorry about the delay in replying here.
My view is that with the message we want to convey a sense of urgency, because for most users they will be using these links to access their account after they have opted to reset their password, usually because they forgot it, so we want to emphasise to the user that they must set a new password now, otherwise they will be in effect locked out of their account and will need to do the same process again next time they try to login.
While it is true that people do use the one-time-login links for accessing a site during development/testing (I have done this myself on many occasions), I don't see that being the intended use case of this feature. For people who use these links in that way, they probably already know that they don't need to actually set a password now and next time they need to login can use the same process. The users who really need this message are the normal users who have forgotten their password and actually do need to set it now.
In an ideal world these links would go to a dedicated set password form, rather than the general account edit form, and in that way, we can focus the attention of the user. While at the same time, we would have a dedicated way of generating links for the dev/test use-case and those links would take you to a more appropriate place with more appropriate messaging, maybe that's a good candiate for a follow-up issue!
- Status changed to RTBC
over 1 year ago 1:46pm 12 April 2023 - 🇺🇸United States smustgrave
In that case I think it may be fine to leave as is.
- last update
over 1 year ago 29,202 pass - last update
over 1 year ago 29,283 pass - last update
over 1 year ago 29,300 pass - last update
over 1 year ago 29,302 pass - last update
over 1 year ago 29,304 pass - last update
over 1 year ago 29,343 pass - last update
over 1 year ago 29,366 pass - 🇳🇿New Zealand quietone
I have updated the Issue Summary with the standard template and before and after screenshots.
- last update
over 1 year ago 29,366 pass - last update
over 1 year ago 29,364 pass, 2 fail - last update
over 1 year ago 29,378 pass - 🇮🇹Italy apaderno Brescia, 🇮🇹
Is Set your new password now, it is not possible to use this link a second time. an example of comma-splice sentence?
- 🇬🇧United Kingdom AaronMcHale Edinburgh, Scotland
Is [...] an example of comma-splice sentence?
I am by no means an expert in these areas, so I cannot confidently say.
Reading the sentence it has two parts: "Set your new password now" is the action we want the user to perform; And in the same sentence we provide the reason why they must do it now: "it is not possible to use this link a second time."
That to me feels like a suitable sentence as is, but again I'm by no means an expert and would not object to swapping the comma with a semicolon.
- last update
over 1 year ago 29,379 pass - Status changed to Needs review
over 1 year ago 4:10am 8 May 2023 - 🇳🇿New Zealand quietone
I checked with some on-line grammar checkers and got mixed results. Some changed the comma to a semi-colon, others did not.
But is that final phrase even needed. The first sentence states clearly that it is a 'one-time' login link. Why not just, 'You have logged in with your one-time login link. Set your new password now.' Or even a simple third sentence. 'You have logged in with your one-time login link. The link can not be used again.' But I too, am not skilled in proper written English.
- 🇮🇹Italy apaderno Brescia, 🇮🇹
I think You have logged in with your one-time login link. Set your new password now. is preferable to You have logged in with your one-time login link. The link can not be used again. because it makes explicit a new password should be set.
- 🇮🇳India Mahima_Mathur23
I like the suggestion given in #49, Although the third sentence is kind of redundant because one-time login link actually means that it cannot be used again.
Also, I think that "Change your password now" is giving a very urgent message which is not required, because no matter what, the user can get a one-time login link again if he doesn't change the password just now.
So, if we could add something like Change your password to something you can remember the next time or rather Set up your secure password for the next time.
- Status changed to Needs work
over 1 year ago 6:19pm 10 May 2023 - 🇬🇧United Kingdom AaronMcHale Edinburgh, Scotland
What I can say is that we generally prefer shorter messages, if there's a short and concise way to get to the point, we should go with it.
So with that in mind, I think @quietone makes a good point in comment #49:
But is that final phrase even needed. The first sentence states clearly that it is a 'one-time' login link.
In fact, I think we could shorten it even further, we can replace "logged in with your" in the first sentence with simply "used a", so then it simply reads:
"You have used a one-time login link. Set your new password now."
On further reflection I now feel the extra statement "it is not possible to use this link a second time" is not adding any value, and as long as the user sets their password, they do not need to know that the link cannot be used again.
In addition, we could potentially have a follow-up issue to look at improving the experience for when an out-of-date login link is used, because right now you simply get an access denied page, which is not very helpful.
- 🇺🇸United States benjifisher Boston area
I am adding a link to 📌 Remove "Please" from the codebase Fixed in the "Remaining tasks" section of the issue summary.
- First commit to issue fork.
- last update
over 1 year ago 29,387 pass, 2 fail - last update
over 1 year ago 29,385 pass, 4 fail - Status changed to Needs review
over 1 year ago 12:11pm 15 May 2023 - 🇧🇷Brazil elber Brazil
Hi I update the message following comment #52, I also rebased please revise.
- Status changed to Needs work
over 1 year ago 2:28pm 15 May 2023 - 🇮🇹Italy apaderno Brescia, 🇮🇹
There are failing tests for both the patch and the MR.
- 🇨🇦Canada alberto56
The message is wrong in case the destination parameter is used. For example, if one appends ?destination=/node to the one-time login link, one gets redirected to /node?check_logged_in=1, then it says "...set your password now...", but it is impossible to do so at this point, because now navigating back to user edit form, it is necessarily to know your current password to set a new one. Perhaps a different message could be shown if the "destination" GET parameter is set.
- 🇺🇸United States benjifisher Boston area
This issue will need an update, since 📌 Remove "Please" from the codebase Fixed was fixed.
- last update
over 1 year ago 29,450 pass - Status changed to Needs review
over 1 year ago 1:36am 24 July 2023 24:53 23:25 Running- 🇳🇿New Zealand quietone
Updated the MR. And it was quicker to make a patch for 11.x than go through the process of making another MR. There is no interdiff with the latest patch because that patch did not match the 10.1.x MR at the time.
I have updated the After screenshot in the issue summary.
- Status changed to RTBC
over 1 year ago 4:41pm 24 July 2023 - last update
over 1 year ago 29,881 pass - last update
over 1 year ago 29,885 pass - Status changed to Needs work
over 1 year ago 7:57am 29 July 2023 - 🇫🇮Finland lauriii Finland
I personally agree with the notion that "Set your new password now" feels like a bit too direct and has too much urgency. Probably the biggest issue I have is that the message makes it sound like the user must set a new password, but the page where we redirect doesn't actually require the user to set a new password. Because of this, I think we should try to adjust the message accordingly. It feels that something along the lines of "'You can set your new password now" would be more suitable.
- Status changed to RTBC
over 1 year ago 9:17am 29 July 2023 - 🇩🇪Germany RobinCS
While I personally like "You can set your new password now" more as well, this problem was already addressed in #40 and #43 and should go in a follow-up issue.
- 🇫🇮Finland lauriii Finland
I don't think #43 fully addresses #40. I'm not concerned about the impact of this for people who use the one-time-login links for accessing a site during development/testing. This group of users are probably ignoring the message altogether anyway. I'm more concerned about the fact that the text in this context appears out of place, even a little bit rude because it's so direct. I'm not a native English speaker so take that with a grain of salt. I also think it would be totally reasonable to display this text if we redirected the user to a form where they must set a new password. However, since we are not doing that and instead we redirect them on a more generic form, it feels like a direct order for the user. After all, there isn't anything wrong if the user doesn't set a new password, they can still ask for a new one-time-link using the UI when they need to login next time.
I feel pretty strongly that we should soften the language a little bit, and open a follow-up to improve the whole login experience. Once we have a form that is focused on setting a new password, we could change the language to be more direct since then in fact the user would have to set a new password.
- last update
over 1 year ago 29,908 pass - Status changed to Needs work
over 1 year ago 10:49am 30 July 2023 - 🇮🇹Italy apaderno Brescia, 🇮🇹
After all, there isn't anything wrong if the user doesn't set a new password, they can still ask for a new one-time-link using the UI when they need to login next time.
We can assume that somebody who clicked on a link to reset the password, read the email sent for that purpose, and clicked on the link given in the email, wants to reset the password, which means setting a new password.
In English, direct commands are avoided, when possible. (That does not mean they are not used.) Since we are avoiding to use please as per another issue, the only possibility is using You could set a new password now. or You can set a new password now. (I gather the first is preferred when a person wants to be polite.)Since
UserController::resetPassLogin()
does not show the form to change the password, the message should also give a link to the form to edit the password. - 🇬🇧United Kingdom AaronMcHale Edinburgh, Scotland
I noted in command #52 that we generally prefer shorter message, but more people seem to prefer adding "You can" to soften the message, and on reflection, there is something a little bit nicer about the less direct phrasing. I don't feel particularly strongly one way or the other, so I won't object to "You can set your new password now." It does still feel like a fairly short and concise message.
In comment #59 @alberto56 made a good point about how if the user uses the destination parameter, then that sentence doesn't make as much sense. I think there's still value in keeping it, but we could wrap it in a link to the user edit form.
So, if the user landed on any route other than the user edit route, the message could be something like
You have used a one-time login link. [You can set your new password now.](/user/1/edit)
In comment #65 @lauriii made a good point that we should open a follow-up issue to have a more focused form, and I totally agree with this. It made me think about how the current password reset process is not really that fit for purpose regardless of which of the two main use-cases:
- User resetting their password: The current process is not ideal because it takes the user to the user edit form, which as noted, is not focused and could overwhelm or confuse the user, as they might not know exactly what action they are supposed to take next.
- Using Drush to generate a one-time-login link: I've been doing this a lot lately, and it's really clear that the current process is also not optimal for this because the user edit form is not the most helpful starting point.
On the second point, the work being done on the new Dashboards in Core may result in changes to what happens when the user logs in, for instance it might take them to the admin Dashboard instead of the user page.
We could build on this by designing a more tailor one-time-login-link process for those who just need to login but not reset the password. We could add a new route dedicated to this process which instead of taking people to the user edit form (or a future password reset form) takes people to the same place they go after they have logged in (whether that be their user page or a future Dashboard), along with adding a new
user:login
sub-command (similar to Drush) for thedrupal
console utility.So there's potentially a couple of follow-ups there.
- 🇮🇹Italy apaderno Brescia, 🇮🇹
The code in
UserController::resetPassLogin()
(including the part showing the message) seems to assume that:- People are effectively redirected to the page containing the form to edit their account data (including their password)
- The form elements to edit the password are the first form elements in account edit form
A contributed module could force a redirect to another page. Seeing You can set a new password now. most people would probably think they are on the page where they can set a new password and they could get confused, if they are redirected to another page that does not contain the form to edit their account.
From /admin/config/people/accounts/form-display, site administrators could have changed the position of the username and password fields, or the same can be done from a contributed module. The password field could not be immediately visible and people could not understand they are on the page that allows that.I understand that does not happen out-of-the-box in a plain Drupal installation, but the shown message should consider that.
For example, with messages similar to You can set your new password now., people could expect they are on the page to edit their password; messages similar to You can set your new password. would probably not give them that expectation, but usually messages without links given with the messenger service are expected to be about the current page. The message given byuser_user_login()
, for example, is not Configure your account time zone setting. but Configure your account time zone setting. with a link that makes the form elements people should change visible in the page. - 🇩🇪Germany RobinCS
I think we can safely assume that the message will be displayed on a password edit form (although not necessarily the user edit form). If it wouldn’t, people could not reset their password, since they need to know their old password to set a new one.
If a contributed module introduces another workflow, it will likely change the status message as well.It might be worth highlighting the password field on the user edit form, but this seems like a follow-up issue.
- 🇬🇧United Kingdom AaronMcHale Edinburgh, Scotland
I agree with @RobinCS in comment #70.
If a site or contrib module changes the location where people are redirected to, then the change I proposed in comment #68 (adding a link if the user is not on the user edit form) would address that.
If a contrib module is doing more than that, for instance providing a dedicated password reset form, then it's up to the contrib module to also ensure that the message the user receives is appropriate. While we can facilitate contrib, in Core we can only account for what Core does, we can't account for all possible combinations of what contrib might do.
- 🇩🇪Germany RobinCS
No, I meant it the other way around. The password-field on the user edit form is password-protected. When you forgot your password, you cannot set a new one. The only exception is directly after using the password reset link (the same request this message is shown). Moving from one page to another would lock the password field again, aborting the reset.
This is why we can assume that the user can set their password on whatever page their landing. Because there can’t be a second one. This also means we can’t link to the user edit form in the status message.
My suggestion therefore is: “You have used a one-time login link. You can set your new password now.” or “You have used a one-time login link. You should set your new password now.”
- 🇮🇹Italy apaderno Brescia, 🇮🇹
Moving from one page to another would lock the password field again, aborting the reset.
That is the exact reason for which showing a You can set a new password now. message does not make any sense, when users are not redirected to a different page.
There is no need to assume anything. It is sufficient to force the redirect to be toward the account edit form.
- 🇬🇧United Kingdom AaronMcHale Edinburgh, Scotland
The password-field on the user edit form is password-protected. When you forgot your password, you cannot set a new one.
That's a great point, I completely forgot about that.
I wonder in that case if we should just drop the second sentence completely, so it's just "You have used a one-time login link." (or something similar).
My thinking being that in 80% of cases a user is clicking the link in the email, so they will get to the proper location (whether that be the user edit form, or another dedicated form which a contrib module could add). In the "20% case", that would most likely come up for someone who used e.g.
drush uli
to generate a one-time-login link and added a destination parameter because they know how to do that. In that case the user does not actually need to set their password, they just needed a convenient way to login.I can't think of another situation where, in core, a user would not end up on the user edit page. Even if a contrib module or custom code is used, then that should then be altering the link in the email prior to it being sent to link to the alternative location, which I hope would have the appropriate password fields.
- 🇮🇹Italy apaderno Brescia, 🇮🇹
The password-field on the user edit form is password-protected. When you forgot your password, you cannot set a new one.
If users followed the link given in the email sent for resetting the password, they do not need to remember the old password; they can just set a new password. (The value set when users return to the site following the link given in the email is stored in the session.)
- 🇨🇦Canada alberto56
Somewhat related, and in case it might be useful to anyone, I have created a module which allows administrators to set a custom "unique log in" message for use-cases other than the standard "click-on-a-link-from-a-lost-password-email" workflow: https://www.drupal.org/project/uli_custom_workflow →
- Status changed to Needs review
about 1 year ago 1:48pm 5 October 2023 - last update
about 1 year ago CI aborted - last update
about 1 year ago 30,377 pass - 🇩🇪Germany RobinCS
Going though the latest comments, these seem to be our options:
- You have used a one-time login link.
- You have used a one-time login link. You can set your new password now.
- You have used a one-time login link. You could set your new password now.
- You have used a one-time login link. You should set your new password now.
The following options didn't seem to be well liked:
- You have used a one-time login link. Please set your new password now. (Don't use "please". #2921133)
- You have used a one-time login link. Set your new password now. (Feels a bit too direct and has too much urgency. #63)
I just went ahead with "You have used a one-time login link. You can set your new password now." now, as it is the one that most people liked or felt neutral about.
- Status changed to Needs work
about 1 year ago 7:04pm 13 October 2023 - 🇮🇳India Harsh
Tried to address the comment #65 and made the message more generic.
Please review this patch - Status changed to Needs review
about 1 year ago 8:24am 17 October 2023 - last update
about 1 year ago Patch Failed to Apply - Status changed to Needs work
about 1 year ago 8:54am 17 October 2023 - last update
about 1 year ago 30,412 pass, 2 fail - 🇮🇳India urvashi_vora Madhya Pradesh, India
@ _utsavsharma your patch file and interdiff file are same. Please check interdiff once, as it doesn't show the difference between patch #80 and #83.
Thanks
- 🇸🇰Slovakia poker10
The last patch is also missing a test change, see #77.
- Status changed to Needs review
about 1 year ago 10:50am 17 October 2023 - last update
about 1 year ago Patch Failed to Apply - 🇮🇳India Harsh
Updated the patch no 2969406-80.Added a test change as well
- last update
about 1 year ago 30,414 pass - Status changed to Needs work
about 1 year ago 7:17pm 17 October 2023 - 🇩🇪Germany RobinCS
#87 says the password can be reseted with „this link“, without providing a link. If you mean the link in the browser bar, then the user is already on that site, so there is no need to link to the same site. Also, linking to any site would lock the password form again (#72).
@smustgrave You said #65 had not been addressed, but #63/#65 suggested „You can set your new password now“. What part of #65 has not been addressed? - last update
about 1 year ago Patch Failed to Apply - Status changed to Needs review
11 months ago 2:32pm 23 January 2024 - 🇩🇪Germany RobinCS
Since it's still not stated what part of patch #77 needs work, I'm gone retest #77 and put it back to Needs review.
- last update
11 months ago 26,109 pass, 1,778 fail - last update
11 months ago 26,012 pass, 1,847 fail - Status changed to Needs work
11 months ago 1:42pm 29 January 2024 The Needs Review Queue Bot → tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".
This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.
Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.
- 🇩🇪Germany RobinCS
The patch no longer applies to 10.1.x, because the text itself was changed from "[…] It is recommended that you set your password." to "[…] Please set your password." in #2828724 (Username enumeration via one time login route) → . However, #2921133 (Remove "Please" from the codebase) → reverted this again, so the current patch does apply to 11.x.
@Ranjit1032002 Could you please update this merge request so it points to '11.x'.
- Status changed to Needs review
about 2 months ago 7:55am 30 October 2024 - 🇮🇳India bhanu951
Updated the MR to use message
"You have used a one-time login link. You can set your new password now."
- 🇺🇸United States smustgrave
Created the follow up from #65 here 📌 Improve login experience as a whole Active
@aaronmchale saw your comments in #68 and if that needs to be broken up into smaller pieces we can.
Personally not a word smith and think the change may be rude but it seems blunt, but that appears to have been discussed at length just throwing in my 2 cents.
Seems the text has been agreed upon.
-
quietone →
committed 46e33eda on 10.4.x
Issue #2969406 by bhanu951, robincs, quietone, ranjit1032002, sahil....
-
quietone →
committed 46e33eda on 10.4.x
-
quietone →
committed fb241877 on 10.5.x
Issue #2969406 by bhanu951, robincs, quietone, ranjit1032002, sahil....
-
quietone →
committed fb241877 on 10.5.x
-
quietone →
committed 865bd0bc on 11.1.x
Issue #2969406 by bhanu951, robincs, quietone, ranjit1032002, sahil....
-
quietone →
committed 865bd0bc on 11.1.x
-
quietone →
committed 5874bcd3 on 11.x
Issue #2969406 by bhanu951, robincs, quietone, ranjit1032002, sahil....
-
quietone →
committed 5874bcd3 on 11.x
- 🇳🇿New Zealand quietone
Committed to 11.x and cherry-picked to 11.1.x, 10.5.x, 10.4.x.
Although this is a bug, not committed to 10.3 and 11.0 due to the string change. Refer to https://www.drupal.org/about/core/policies/core-change-policies/allowed-... →
Thanks
Automatically closed - issue fixed for 2 weeks with no activity.