allowing new password input on password reset landing page

Events happening in the community are now at Drupal community events on www.drupal.org.
jitesh doshi's picture
Posted by jitesh doshi on January 17, 2013 at 4:00pm

Normally, in Drupal, when a user clicks on a password reset link that they requested from a Drupal site, they are taken to a landing page that has nothing but a "Log In" button that logs them in. The system then expects the user to update their password on their own.

But for infrequent or non-technical users, that last step often never happens. They fail to set their password, and then ask to reset password again the next time they need to access the site.

MY SOLUTION:
I modified the password reset landing page (the page where user lands when they link the password reset link - user/reset/%uid/%timestamp/%token) such that it has the password input (pass1 and pass2) built into it. It accepts new password(s) and updates the user account while logging them in. See the attached screenshot.

Do you see negative security implications of this?

Only local images are allowed.

AttachmentSize
password reset landing page - with password input(s)11.43 KB

Comments

A useful but not essential alternative

Posted by cryptosmith on January 17, 2013 at 4:39pm
cryptosmith's picture

Regarding ease of use, I presume that the infrequent user can still leave the password fields blank, click 'login' and be logged in.

If the user is satisfied with authentication via email, then perhaps that's OK. If they are forced to type in a new password, then they're likely to type easy-to-repeat text streams, which usually produce passwords vulnerable to guessing.

Another thing to check is how this interacts with SSL coverage, assuming the site uses SSL.

Seems like a great usability

Posted by greggles on January 17, 2013 at 8:26pm
greggles's picture

Seems like a great usability improvement. I can't immediately think of a security weakness to this. I agree with cryptosmith's comment.

knaddison blog | Morris Animal Foundation

<History Lesson> I've always

Posted by cashwilliams on January 17, 2013 at 9:26pm
cashwilliams's picture

<History Lesson>
I've always been curious about the need for the interim "click here to login page". I always figured it was for some sort of security, but no idea what. So I did some digging.

The form in question was introduced back in early 2006 (http://drupal.org/node/24398#comment-330766). Prior to this patch, clicking the link received in an email would just log the user in and redirect to their account page presenting the password change form (as your providing with your change). The patch was put in place due to some software clients that would try to "prefetch" the url in order to get info about headers and such. This would make the one time login link invalid.

So this patch was put in to fix that, but I doubt the form it creates didn't get much thought in terms of UX.
</History Lesson>

The issue I do see though is implementing this. If a user enters 2 different passwords that don't match, what happens? Does the form validation fail, which would redirect to the same page. However, its a one-time link, so the page is no longer valid. Or does it log them in, and then fail and pre populate the existing 2 password fields with an error? But then the user thinks their password is changed but its not.

You see where I'm going. Another solution is to just bypass this page altogether, effectively undoing the patch discussed above by adding /login to the end of the url emailed out.

The code for that page is

Posted by pwolanin on January 18, 2013 at 3:44am
pwolanin's picture

The code for that page is horrible (beyond horrible). The fact that appending the extra /login bypasses the form is something that should never have been allowed to make it into Drupal 6+.

You see where I'm going.

Posted by greggles on January 18, 2013 at 3:57pm
greggles's picture

You see where I'm going. Another solution is to just bypass this page altogether, effectively undoing the patch discussed above by adding /login to the end of the url emailed out.

One drawback to that solution is that the full user form doesn't give the prominence to a new password that a user really should have when they have forgotten their password.

knaddison blog | Morris Animal Foundation

I think this could be a good

Posted by cleaver on January 18, 2013 at 12:22am
cleaver's picture

I think this could be a good usability enhancement. I'd want to see some configuration options that would turn it on or off and to make the password fields optional or mandatory.

I'm sure lots of teams have shared the user 1 account and just do a "drush uli" to get a login. This is convenient, but I presume that it could be seen as a security problem. Adding the password fields and having the ability to make them mandatory would seem to me a security enhancement.

http://cleaver.ca

responses to feedback so far

Posted by jitesh doshi on January 18, 2013 at 4:30am
jitesh doshi's picture

Thank you all for your constructive feedback.

Let me try to address some of the comments:

  1. I did make the password field required (the screenshot doesn't show that)
  2. Password will not be any weaker than if set on the edit profile page. I use the same code to validate the password here as well. In fact, I'm even using the "password_policy" module on this page. Works like a charm.
  3. If the passwords don't match, the password reset link does not expire automatically. This is because the link expires only *after* it has been used (user gets logged in). But that doesn't happen until the form is successfully submitted

Finally, if all this is kosher security-wise, and many people think this is a good idea, then I'll create a contrib module for this.

Please keep the feedback coming.

--Jitesh
SpinSpire - Enterprise Drupal!

I could actually use this

Posted by jgrubb on January 18, 2013 at 2:50pm
jgrubb's picture

I could actually use this theoretical module right now. Thank you for doing the legwork and I'll volunteer to do a D6 backport if you'd like one.

John

Yeah, I suggest creating the

Posted by greggles on January 18, 2013 at 3:58pm
greggles's picture

Yeah, I suggest creating the module AND working on a core issue for this change.

knaddison blog | Morris Animal Foundation

Tried it out..

Posted by FSheFF on February 21, 2013 at 5:36pm
FSheFF's picture

"password field required" With the 7.x-1.x-dev version that does not seem to be the case. Individual can skip entry in the fields and click on login and they are taken to the account/edit tab. Fortunately it does not at that point ask for the current password, so they can still change the password.

If they do enter the passwords they see a message on the account/edit tab to the effect.. changes saved, log in successful as..., etc etc.. and oh yes.. "Please change your password". Hmmmm? They just changed it! That will confuse my folks for sure. May I suggest just putting them on the home page with a small bullet confirming their successful log-in and change of password.

I really like the clean interface,with the feedback as to the current user id. Excellent work. And long time needed.

I don't think they should be allowed to do anything else.. like change their email address or user id, on that initial password reset page. But they really do need to be forced to enter those passwords, or dumped out as an unregistered user, and NOT sent to the account page.

THANKS for getting this module out there. Looking forward to using it on our production server.

Wouldn't it make more sense

Posted by cameron tod on January 19, 2013 at 2:29am
cameron tod's picture

Wouldn't it make more sense to log the user in as per normal, but then redirect them to a custom form to change their password, rather than having the password change form on the same url as the one-time login link?

One form seems simpler than

Posted by cleaver on January 19, 2013 at 6:37pm
cleaver's picture

One form seems simpler than two from my view of things. The password fields on the one-time login screen makes sense to me and I don't see a down side.

http://cleaver.ca

new module released for this

Posted by jitesh doshi on January 19, 2013 at 2:28pm
jitesh doshi's picture

Hi all ...

I have created a new module for this feature and created a fresh DEV release at http://drupal.org/project/prlp. The module is called PRLP (password reset landing page). At this point, it only adds password and password confirm fields to the password reset landing page. I could add other things to it, such as changing email address or username, depending on the feedback I get.

Please check it out, test it and give some feedback.

Project Page: http://drupal.org/project/prlp

Thanks.

--Jitesh
SpinSpire - Enterprise Drupal!

Check Out Others Who are Working on Same

Posted by Shai on January 21, 2013 at 2:00am
Shai's picture

@Jitesh,

This is awesome. And it is wonderful you modulized it for Drupal 7. I'm going to test it on two Drupal 7 sites and report back.

You should know that others are working something very similar for Drupal 8. You should join forces with them. Check this out:

http://drupal.org/node/75924#comment-6706904

On a slightly different but related issue that has come up in Drupal 7 because of the requirement to know your current password in order to change it: many of the people requesting a password reset are currently logged in to their sites, using the reset password link on the user/edit page. They then go to their email, without ever logging out, use the "one time login" and get ruturned to their site where the "current password" field still show because they never logged out.

I've proposed a very simple solution which is mostly about changing messages. But the issue needs to be acknowledged and so far hasn't really, that I can tell.

Here is my issue: http://drupal.org/node/1872404

Shai Gluskin
Content2zero

Thanks @Shai. I will post to

Posted by jitesh doshi on January 29, 2013 at 3:17pm
jitesh doshi's picture

Thanks @Shai. I will post to that thread about this module. They are also talking about NOT backporting this to D7. So this module may still be needed.

And here's an appeal to all on this thread ...

Please do download and test the module. And please report issues/bugs.

--Jitesh
SpinSpire - Enterprise Drupal!

No Current Password issue in 7

Posted by FSheFF on February 20, 2013 at 3:13pm
FSheFF's picture

See the module, NoCurrent_Pass, as a fix in 7. Works for us.
http://drupal.org/project/nocurrent_pass

I'll make that a config option

Posted by jitesh doshi on February 21, 2013 at 5:35pm
jitesh doshi's picture

Thanks for the great feedback.

I hear you guys. Basically, don't take them to account edit page. And don't ask them to change the password again.

Now which page to take them to .. should be configurable. So I'll make that a config option, with a default being the front page.

How does that sound?

--Jitesh
SpinSpire - Enterprise Drupal!

Sounds like a plan

Posted by FSheFF on February 21, 2013 at 5:40pm
FSheFF's picture

Excellent. Looking forward to testing it out here.
Cheers!

requests addressed and more in new release

Posted by jitesh doshi on March 30, 2013 at 10:45pm
jitesh doshi's picture

Hi all,

I have just made a new release 7.x-1.0-beta1 of the PRLP module. It addresses all of your requests and more. Please checkout the release notes.

Please give it a try and file issues if you find any.

--Jitesh
SpinSpire - Enterprise Drupal!

I really appreciate

Posted by dhineshkumar on November 2, 2013 at 6:42am
dhineshkumar's picture

I really appreciate this work and I expected a module like this. Cheers!

Core issue

Posted by anybody on December 10, 2025 at 4:52pm
anybody's picture

Indeed this is the related, still open, critical UX core issue: https://www.drupal.org/project/drupal/issues/75924

Until that one is fixed, this is the workaround contrib module:
https://www.drupal.org/project/prlp

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: