Normally, in Drupal, when a user clicks on a password reset link that they requested from a Drupal site, they are taken to a landing page that has nothing but a "Log In" button that logs them in. The system then expects the user to update their password on their own.
But for infrequent or non-technical users, that last step often never happens. They fail to set their password, and then ask to reset password again the next time they need to access the site.
I modified the password reset landing page (the page where user lands when they link the password reset link - user/reset/%uid/%timestamp/%token) such that it has the password input (pass1 and pass2) built into it. It accepts new password(s) and updates the user account while logging them in. See the attached screenshot.
Do you see negative security implications of this?
|password reset landing page - with password input(s)||11.43 KB|