Password link too old


(David Collantes) #1

New invited user (moderator) is getting “Sorry, that password change link is too old. Select the Log In button and use ‘I forgot my password’ to get a new link.”, even after following the instructions, and using the new link on received email. Help?


(Matt Palmer) #2

Most likely cause is some sort of errant “security” software visiting the link and doing things it shouldn’t before the user visits the link. Password change links are valid for one visit only, to prevent replay attacks. While we try to detect and work around the most common forms of “security” software doing dumb stuff, the universe is always building more ingenious idiots who then get hired into AV companies…


(David Collantes) #3

Not the case here (macOS, no antivirus). Would an ad blocker cause this?


(Jeff Atwood) #4

What version of Discourse are you on?


(David Collantes) #5

Currently running v1.8.0.beta4 +12.


(Jeff Atwood) #6

How are you sending invite, what are the exact steps?


(David Collantes) #7

The invite was sent during the install wizard. User received the email, clicked on link, got the message. Followed the message instructions, got link on email, got message again. It worked on the third time.


(Jeff Atwood) #8

@eviltrout can you confirm curl will not invalidate invites sent this way through the wizard?


(Joe Buhlig) #9

Something else I’ve run into with this was the clock on the computer being used by the invitee. The time was wrong (I think it was a couple hours behind) and made it think it was an old link. Fixing the clock fixed mine.


(Jeff Atwood) #10

Oh interesting I always forget to consider wrong clock issues!


(David Collantes) #11

Links are generated on the server using, I assume, server time. How would that affect anything? How about servers in PST, and users all around the world, for example? Either way, it only happened once, will keep an eye on it.


(Joe Buhlig) #12

I haven’t looked at it but I assume there’s an adjustment for time zones. If (after the adjustment) the local time (per the users machine) indicates an old link, it would fail. But again, that’s my assumption.

In my case, I had a faulty time server on our internal network that threw off any hardwired machines. It was only users with a bad clock that had issues. Once the time was fixed (on 6 machines) the reset password process worked as expected.


(David Collantes) #13

I am trying to run Discourse, not an Active Directory! :slight_smile: Cheers.


(Arpit Jalan) #14

I can confirm that cURL will not invalidate invite sent via wizard. End user will have to explicity click on “Accept Invite” button to accept the invite.