Jump to content

Password reset e-mails no longer work after an hour

Recommended Posts

In the latest release of IPS, password reset e-mails seem to expire after 1-hour.

If a user submits a password reset request and does not respond to the request within that hour, the first problem is the error they receive when clicking on the reset password link,


It would be much better for this error to tell them that their password reset link has expired, and provide a link to submit a new password reset request.

However, that brings us to the real problem.

When users submit another password reset request, nothing actually happens. It sends the same password reset request link to the user. It does not regenerate the password reset request in the database.

The user gets sent an expired password reset link every time they try and generate a new one.

This means that if the user does not reset their password correctly on the first attempt, it becomes impossible for them to do it until an administrator goes in and manually clears the entry out from the core_validating table.

Link to comment
Share on other sites

Thank you for bringing this issue to our attention.

While the 1-hour expiration is intended now, I can confirm the issue with the link should be further reviewed and I've logged an internal bug report for our development team to investigate and address as necessary, in a future maintenance release.

Link to comment
Share on other sites

Thanks Mark,

Yeah absolutely no issue with links expiring, I think that's a good security feature. A custom error being displayed to tell people the links expired could be a good UX improvement though!

It took me a bit to identify the issue myself when a user reported it because the error kept just implying their reset request didn't exist.

Edited by Makoto
Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...