If you use a forgotten password reset form, e.g. URL /auth/forgotten_password/cc2ffdc2c20db368a1f3e4576159d9d2cc2c75b2 and change your password, then you go to the login page and the login form has a hidden
return_to field set to
/auth/forgotten_password/cc2ffdc2c20db368a1f3e4576159d9d2cc2c75b2 That is not good, because then you'll end up going to that form again and get an error because the hash is already used. There should be no return_to in this situation.
Log in to post a comment.