Simpler Password Reset in Drupal 7

Here's a helpful tip for maintainers of Drupal 7 websites, if you're as puzzled by the password reset process. For those not familiar, to reset a password you give your email to the site, then it sends an email with instructions how to reset your password. This much is reasonable and expected. Only the user with access to their email account will be able to change the password. This email comes with a link, and here's where things get weird. Typical users (and developers, too) expect that link to bring you to a page where you can change your password. Instead the link brings you to a form that looks like: At this point, many users are scratching their heads wondering "WTF?"1 Experienced Drupalers know to click that Login button, then on the next page change their password. Not all users make it that far. In most (all?) cases, that Log in button is just one extra unecessary step in the password reset process. It turns out, there's an easy way to skip that one-time login form. The form is created by user_pass_reset(), which (oddly) is both a form callback and submit handler of sorts. I suspect it is written purposefully to make the following tip possible, although I haven't seen it documented elsewhere. The great thing about user_pass_reset() is it accepts an $action with just a small change to a URL. And when the action is 'login', the function logs the user in, just as if the one-time login form were submitted. Which brings us to the point of this post. If that email sent to the user has a link with action "/login" appended to the end of it, the user skips the one-time login form. Simple as that! Under Configuration >> People >> Account Settings you'll find several places where the [user:one-time-login-url] token is used. Where you find it, change it to [user:one-time-login-url]/login. You may want to also edit the text that follows the link, as some of that one-time login mumbo jumbo no longer applies. Save those settings, open an incognito window, and request a password reset. You'll find the link emailed to you brings you straight to the password edit form, the very last step of the password reset process. That's it for this tip. I hope it's helpful. [Edit: see Heine's comment pointing out this change may not be helpful to some users.] 1. WTF is short for "what's this form?"



This is one of the best tip I've learnt about Drupal. Thanks :-)

Thanks, very useful, i'm going to use that often, i think, ;)

Great tip - thanks!

The submission step is present to prevent intermediaries such as mail clients from using up the one time login token.

See issue #24398 for the issue that introduced the step.

Dave Cohen's picture

It's nice to know the history of that login step. It gives some insight why that function is written so strangely as both a form creator and submit handler. And thanks especially for the heads up that my change above might actually cause problems for some users.

In that thread, the idea of a time limit for the link was suggested, but lost out to the one-time login approach, possibly just because that was the first patch submitted. I think the one-time login page is really hard for typical users to understand.

At this point I'm not sure what's better, inconveniencing a few users with their smart mail clients, or inconveniencing everybody else!