Password reset link only works for original browser session

Summary: if I ask for a password reset link, then go to another browser session, and use the link, I get an uninformative error. The link does work in the same browser session as the request.

Steps to reproduce:

  • Open private browser window in (in my case) Firefox
  • Go to (in my case) https://learn.nipraxis.org
  • Create an account (Register)
  • In another browser tab - log onto mail - activate the account
  • Log out
  • Sign in
  • I need help signing in - Forgot my password - Recover my password
  • Open another browser (in my case, Safari)
  • Collect link from email
  • Click to get : Reset Your Nipraxis Password - Page not found.
  • Clicking the same link from the original private browser window gives the expected password reset page.

I also got this effect using different private browser windows on Firefox, on an earlier test. I can’t reproduce that now, maybe because of caching.

Is this expected (that the link will only work within the same session)? Is there a way of avoiding the Page not found error, and replacing it with something more informative?

Hi @matthew-brett! I understand that this behaviour is surprising, but it’s actually the expected behaviour from Open edX. The idea is that you should not be able to access account A in any way if you are logged-in to account B. Even just telling account B that the link works only for account A would be some sort of security issue – at least, that’s my understanding.