E-mail client safelink feature expires password reset confirmation emails: "Sorry, the link you clicked on has expired or is not valid. Please try resetting your password again"

OJS 3.3.0-13 (and earlier)

Describe the issue or problem
E-mail client (Outlook in Office 365) tries to verify the safety of the password reset confirmation link before sending the user to the reset confirmation link, causing it to expire by the time the user is able to visit the confirmation link. The user still receives the e-mail with username and temporary password but is rather confused, and several users have tried to reset their passwords multiple times before finally contacting our support about this issue.

By copying the url in the e-mail and pasting it directly in a new tab in the browser, I am able to bypass the safelink measure by the email client, and I will get the following message from OJS:

"A confirmation has been sent to your email address. Please follow the instructions in the email to reset your password. "

if I reload this page, I will get the expected message since the reset link should only be used once:
"Sorry, the link you clicked on has expired or is not valid. Please try resetting your password again. "

Conclusion is that the e-mail client’s safelink feature causes the password reset confirmation link to be ‘expired’ before the user will see the confirmation page.

So how can we somewhat change this behaviour or message as not to confuse the users who are resetting their passwords?

Steps I took leading up to the issue

User initiates a password reset.
User clicks on password reset link in the e-mail
Email-solution wants to check if the link is safe before immediately sending the user to the password reset link.

The link generated by OJS:

The link the user will actually go to when clicking the email before quickly being redirected to the original URL which was generated by OJS:

User gets the message “Sorry, the link you clicked on has expired or is not valid. Please try resetting your password again.”

User is confused and thinks that something was wrong with the password reset link, and sometimes users continue to reset their password multiple times.
User receives the e-mail with username and temporary password, but maybe they didn’t check because they were just told by OJS that the password reset link did not work.

User sends me a support request complaining that the password reset link doesn’t work.

Note: the URL doesn’t actually contain curly braces, but I have anonymized the contents there …

Temporary fix
My suggestion for a temporary fix if your users are experiencing this issue is to change user.login.lostPassword.invalidHash in /lib/pkp/locale/en_US/user.po (and other languages you use) to something like:

msgstr “Sorry, the link you clicked on has expired or is not valid. Please try resetting your password again. <br /><br />(Or it could be that your E-mail client’s safelink feature has already checked the URL causing it to expire). <br /><br />Check your inbox anyway to see if you just got an email with your username and a temporary password.”

This seems like the expected behaviour for the Outlook’s safelink service as it makes an HEAD request for the give url to run some verification/other protection before dispatching to the intended url and we currently have no such check to handle such request for the password reset functionality. Your proposed temporary fix is one way to get around of this issue . Another way is to put a check for the Request Method in the LoginHandler::resetPassword method to see if it’s a HEAD request and in that case redirect to home/base path so that method functionality does not get executed.

BTW I will make a github issue for this one to see if a fix can be included into the software for this one .

PKP Team

1 Like

We have the same problem. Did you make a github issue @touhidur ?


I have registered a Github issue for this after discussing it internally with PKP Team . Issue at Email client safelink cause user password reset feature broken. · Issue #8392 · pkp/pkp-lib · GitHub . Hopefully a fix will be included in the next release of current stable version that is 3.3.0-14 .

1 Like