Reputation: 119826
Should password reset pages automatically authenticate users?
Many lost password workflows usually result in a page which is reached by a temporary link emailed to the user. This link then takes them to a page that asks for a new password.
Upon entering the new password should a user be forced to logon manually, or should the password reset page authenticate the user automatically which would reduce the number of steps and thus complexity of the process for the end user?
I often encounter password reset pages that make me reset my password and then login which feels like I'm logging in twice for no good reason.
Upvotes: 3
Views: 876
Answers (3)
Reputation: 3430
You should make it auto login. Don't see why you would make the user login.
If it's because of bot protection, just add a captcha when the user logins using the link.
Upvotes: 1
Reputation: 1875
I quite like drupal's method: The user gets sent an email with a link in it which will log them on once; upon logging in with it they are given the opportunity to change their password.
Upvotes: 4
Reputation: 19620
I don't know of any significant advantage to forcing the user to re-enter the password that they just entered twice. If someone does, I'd be interested to hear about it.
Upvotes: 3
Related Questions
- Password protecting web page
- How to protect a reset password feature?
- Automatic login after password reset?
- Increasing security of web-based login
- Forgotten password reset page: should the user need to enter a username/email as well?
- Should a Reset Password link be different every time?
- Login routine for password protected website
- Are manual activation and password reset pages still necessary?
- Best practices for login pages?
- Password reset by emailing temporary passwords