Here's a helpful tip for maintainers of Drupal 7 websites, if you're as puzzled by the password reset process.

For those not familiar, to reset a password you give your email to the site, then it sends an email with instructions how to reset your password. This much is reasonable and expected. Only the user with access to their email account will be able to change the password. This email comes with a link, and here's where things get weird. Typical users (and developers, too) expect that link to bring you to a page where you can change your password. Instead the link brings you to a form that looks like:

At this point, many users are scratching their heads wondering "WTF?"1 Experienced Drupalers know to click that Login button, then on the next page change their password. Not all users make it that far. In most (all?) cases, that Log in button is just one extra unecessary step in the password reset process.

It turns out, there's an easy way to skip that one-time login form. The form is created by user_pass_reset(), which (oddly) is both a form callback and submit handler of sorts. I suspect it is written purposefully to make the following tip possible, although I haven't seen it documented elsewhere.

The great thing about user_pass_reset() is it accepts an $action with just a small change to a URL. And when the action is 'login', the function logs the user in, just as if the one-time login form were submitted.

Which brings us to the point of this post. If that email sent to the user has a link with action "/login" appended to the end of it, the user skips the one-time login form. Simple as that!

Under Configuration >> People >> Account Settings you'll find several places where the [user:one-time-login-url] token is used. Where you find it, change it to [user:one-time-login-url]/login. You may want to also edit the text that follows the link, as some of that one-time login mumbo jumbo no longer applies.

Save those settings, open an incognito window, and request a password reset. You'll find the link emailed to you brings you straight to the password edit form, the very last step of the password reset process.

That's it for this tip. I hope it's helpful. [Edit: see Heine's comment pointing out this change may not be helpful to some users.]

1. WTF is short for "what's this form?"↩

Tags:

• drupal