Today I experienced a problem with Drupal's one time URL behaviour when resetting your password. I am a fan of the way Drupal does this, which I think is much better than most sites are handling password resets.

However in this particular case Drupal's solution failed to work. What happens is that the transparent proxy is making a connection to the URL (that I got by mail) and then does a second request that is actually going back to the browser. In a log, it looks like this:

<br>65.160.238.180 - - [12/Dec/2007:16:09:23 +0100] "GET /user/reset/1/1197472122/1a021e957a8040149660bcec8d77e3e5 HTTP/1.1" 200 2810 "-" "Mozilla/4.0"<br>125.24.198.3 - - [12/Dec/2007:16:09:24 +0100] "GET /user/reset/1/1197472122/1a021e957a8040149660bcec8d77e3e5 HTTP/1.1" 200 1278 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.12) Gecko/20071130 CentOS/1.5.0.12-7.el5.centos Firefox/1.5.0.12"<br>

NOTICE: the source address is also different. I suspect that this is a seperate content-filter, but being ignorent about how the setup is done at this company I can only guess why this happens.

And the result, of course, is that the one time URL fails the second time for the user. It would be nice if somehow the one-time URL works for eg. 10 seconds after the first hit instead, although that is much harder to implement.