Login Destinations
A while ago I decided it was easier for people who have an account on this site to get redirected to a kind of overview page which shows the latest content (kind of like the block on the front page but with some more options). So I googled and found a very easy way to do this, with Triggers and Actions, the Triggers module is part of the Drupal 7 core so I didn't have to bother with extra modules, it looked like perfect solution.
- Define an action which redirect the user to a certain page
- Connect the trigger "After a user logs in" to the action defined in step 1
Easy right? Until someone forgets his password!
Forgotten password
So I had this user who forgot her password, she used the password reset option on my website and got a nice email giving her a 'one time login link' (I'll get back to that). After a few days she told me she didn't get to the one time password change option but got redirected to the overview page. And when she navigates to her user profile she needs to enter the old (forgotten) password to change it.
Of course this is not how it was meant to be! I did the quick and dirty fix and changed her password and e-mailed this to her but still, this made me annoyed, people would always need my intervention if they forgot their password. No big deal on this site with a total of 5 user accounts but not a solution you want on a site with 500+ users.
Login Destinations
So I started using my good old friend Google again today and found this module: Login Destination. From the description this was exactly what I was looking for, giving multiple redirect options. After installing I went to configure it and it didn't really give me different options as triggers, login, registration and one-time login link where bundled in one check-box. It does allow for multiple rules and for rules for different user roles but it doesn't allow for a rule for one-time login and a separate rule for normal login. So my first reaction was 'close, but no cigar.'
Luckily I still took the effort of testing and to my very pleasant surprise the developers had actually thought about this part and the module actually first redirected to the password change option and only after saving the new password it redirected to overview page I created. This was exactly what I needed. Kuddos for the developers of this module.
One-time login links
To my surprise, before the user who has a problem with her password actually told me about it she had already used here 'one-time' login link several times! Of course I looked in to this. My first theory was they might only remove the one-time link after the password was changed by the user. So I created a test account, activated this and used the one-time link. Immediately after clicking the link I knew why it wasn't a one time link. It actually says so on the login screen, the link is valid for one month.
Even with my background in security I don't see this as high security risk since the link contains a 43 characters long randomly generated string and the user ID. The user ID is guessable, the string, you'll have to find a user with a reset link enabled and still valid and then guess the string, not very likely, not even with a lot of computers trying. What is a little more risk is if someone manages to get this link from a mailbox or browser history. So I would like to argue for a trigger on a password change which deletes the one-time link from the database since this would be the most secure option in my opinion.