Password Recovery Issue (3.6)

Hello,

We are running Nop version 3.6.  We have been getting reports of some of our customers having difficulty using the Password Recovery.  When this happens, they get the message "Wrong password recovery token."

I tested the Password Recovery on several of our stores with a few different email addresses and was unable to reproduce the issue.  However, a couple of our sales people have been able to reproduce the issue and I have been sent screenshots of it.

At first, I thought it might be happening, because of a time limit for how long the recovery link is valid, but I checked the Setting for "customersettings.passwordrecoverylinkdaysvalid" and it is set to 7 days.

Does anyone know why this would be happening on occasion?


Thanks!  Mike

Hi, Mike!

Can you reproduce all steps that cause the error?

Hi Mariann,

No, as I stated above, I did numerous password resets and could not reproduce the issue.  A couple of our people were able to reproduce it, but I'm sure what they did that was any different from what I was trying.  So, it seems to be a bit of a mystery.


Thanks, Mike

Try to ask the users who received this error so that they describe all of the steps that led to the error. Unfortunately, without additional information we can't help you.

Hi Mike, did you resolve this issue? I am having the same problem!

We have the same problem.  I don't know what the customer is doing.

Hi guys!

I didn't end up making any changes to our system.  Whatever the issue was, it was isolated to just a few customers.

I suggest getting as many details (and screenshots if possible) from your customers that are having an issue with it.

Sorry I couldn't be of more help.


Mike

Having the same issue. A customer tried resetting their password but got "Wrong password recovery token" message. I could not recreate the issue.
The customer tried again a hour or so later and was able to reset their password.
My site is built using Nop version 4.2

To Reproduce the Issue follow this;

1. Register as a new user and activate the account.
2. Logout and click on "Lost Password" link to get the email to reset. (No1)
3. Few minutes later, click on "Lost Password" link again to get the email to reset (No2)
4. Check your inbox where you should receive 2 x emails to reset your password.
5. Open the oldest email (no1) and click on the link to reset your password.
6. Get the "Wrong password recovery token" error.

in summary, customers are making multiple password recovery requests but not clicking on the link from the very last email they received. Each recovery request has its own token despite being for the same customer/email.

What can be done? A setting can be implemented so that system will not send a second lost password email to same email address at any given period, for example 5min, 15min, 30min, 1hr etc.

RE: "...system will not send a second lost password email to same email address at any given period..."
Maybe.  But it may be better to just "educate" the customer.  I.e., edit the string resource
account.passwordrecovery.tooltip
and explain that email can take awhile, and to check the junk mail folder, and not to click again for a while.