Magento2: Shopping cart is emptied after reset password procedure

Created on 4 Apr 2018  路  13Comments  路  Source: magento/magento2

Preconditions


  1. PHP 7.0.27
  2. MariaDB 10.1.26
  3. Magento 2.1.12

Steps to reproduce

  1. As a guest, put some items in shopping cart
  2. Login -> Forgot Password
  3. Enter Email, press "Reset Password" button
  4. From mail press "Set a new password"
  5. On "Forgot Password" page input new password. Shopping cart is still have items in it.
  6. Press button "Set a new password"
  7. Shopping cart is empty now.

Expected result

  1. Shopping cart not empty after setting new password.

Actual result

  1. Shopping cart empty after setting new password.

There are many users with random generated password, after transfer from old CMS. While checkout process they see account is existed, try to reset password and after that they see shopping cart is empty. It's embarrasing.

Customer balance-cd Clear Description Confirmed Format is valid Ready for Work Reproduced on 2.2.x Reproduced on 2.3.x
Source
picture evgenyvas

Most helpful comment

@sdzhepa please establish practice of squashing changes properly, is not so easy to understand what happened there from 5 commits.

picture orlangur on 30 Apr 2019
👍4

All 13 comments

As a workaround, I commented two lines in vendor/magento/module-customer/Model/AccountManagement.php, function resetPassword
$this->sessionManager->destroy();
$this->destroyCustomerSessions($customer->getId());
Did I break anything?

    public function resetPassword($email, $resetToken, $newPassword)
    {
        $customer = $this->customerRepository->get($email);
        //Validate Token and new password strength
        $this->validateResetPasswordToken($customer->getId(), $resetToken);
        $this->checkPasswordStrength($newPassword);
        //Update secure data
        $customerSecure = $this->customerRegistry->retrieveSecureData($customer->getId());
        $customerSecure->setRpToken(null);
        $customerSecure->setRpTokenCreatedAt(null);
        $customerSecure->setPasswordHash($this->createPasswordHash($newPassword));
        //$this->sessionManager->destroy();
        //$this->destroyCustomerSessions($customer->getId());
        $this->customerRepository->save($customer);

        return true;
    }
evgenyvas picture evgenyvas on 4 Apr 2018

@evgenyvas you only have to comment out $this->sessionManager->destroy();. The destroyCustomerSessions method destroys customer sessions except the active one. But the active one is destroyed in $this->sessionManager->destroy();.

This appears to be introduced in 2.2.3; https://github.com/magento/magento2/blame/a952969a8c08928d356fab8d0fb35f4dbe5fe9ce/app/code/Magento/Customer/Model/AccountManagement.php#L613

This is obviously very annoying for customers.

For now, I just use a composer patch to fix this;

From 1de4b953e0da7ee29d586d770d79d857c3c9ca33 Mon Sep 17 00:00:00 2001
From: peterjaap <[email protected]>
Date: Tue, 22 May 2018 14:33:51 +0200
Subject: [PATCH 1/1] Uncommented destroying of active session after resetting
 password

Signed-off-by: peterjaap <[email protected]>
---
 Model/AccountManagement.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Model/AccountManagement.php b/Model/AccountManagement.php
index c1231a1..4469e5e 100644
--- a/Model/AccountManagement.php
+++ b/Model/AccountManagement.php
@@ -596,7 +596,7 @@ class AccountManagement implements AccountManagementInterface
         $customerSecure->setRpToken(null);
         $customerSecure->setRpTokenCreatedAt(null);
         $customerSecure->setPasswordHash($this->createPasswordHash($newPassword));
-        $this->sessionManager->destroy();
+//        $this->sessionManager->destroy();
         $this->destroyCustomerSessions($customer->getId());
         $this->customerRepository->save($customer);

-- 
2.17.0
peterjaap picture peterjaap on 22 May 2018
👍1

Hi @evgenyvas thank you for your report.
We've acknowledged the issue and added to our backlog.

ghost picture ghost on 16 Jul 2018

@engcom-backlog-nazar wasn't this issue fixed by https://github.com/magento/magento2/pull/14973 ? It looks like duplicate of https://github.com/magento/magento2/issues/12362

ihor-sviziev picture ihor-sviziev on 18 Sep 2018

Hi @ihor-sviziev No, just checked now still exist this issue

ghost picture ghost on 18 Sep 2018

@ihor-sviziev This PR can fix this issue-> https://github.com/magento/magento2/pull/17517

ghost picture ghost on 18 Sep 2018

Backward patch for 2.2.6;

diff --git a/Model/AccountManagement.php b/Model/AccountManagement.php
index 8f25651..6e40f1a 100644
--- a/Model/AccountManagement.php
+++ b/Model/AccountManagement.php
@@ -670,7 +670,7 @@ class AccountManagement implements AccountManagementInterface
         $customerSecure->setRpTokenCreatedAt(null);
         $customerSecure->setPasswordHash($this->createPasswordHash($newPassword));
         $this->getAuthentication()->unlock($customer->getId());
-        $this->sessionManager->destroy();
+//        $this->sessionManager->destroy();
         $this->destroyCustomerSessions($customer->getId());
         $this->customerRepository->save($customer);

-- 
2.17.1
peterjaap picture peterjaap on 19 Sep 2018

Backward patch for 2.2.7;

diff --git a/Model/AccountManagement.php b/Model/AccountManagement.php
index 8f25651..404d5e8 100644
--- a/Model/AccountManagement.php
+++ b/Model/AccountManagement.php
@@ -670,7 +670,7 @@ class AccountManagement implements AccountManagementInterface
         $customerSecure->setRpTokenCreatedAt(null);
         $customerSecure->setPasswordHash($this->createPasswordHash($newPassword));
         $this->getAuthentication()->unlock($customer->getId());
-        $this->sessionManager->destroy();
+        // $this->sessionManager->destroy(); // uncommented by patch
         $this->destroyCustomerSessions($customer->getId());
         $this->customerRepository->save($customer);

-- 
2.17.1
peterjaap picture peterjaap on 5 Dec 2018

The same error on Magento 2.2.7
This commit: https://github.com/magento/magento2/commit/bc8d3d5d0ead9779cb22d19201cd731719a79b0c does not fix this error

hryvinskyi picture hryvinskyi on 12 Mar 2019

Backward patch for 2.2.8;

diff --git a/Model/AccountManagement.php b/Model/AccountManagement.php
index 6387555..a753a7e 100644
--- a/Model/AccountManagement.php
+++ b/Model/AccountManagement.php
@@ -690,7 +690,7 @@ class AccountManagement implements AccountManagementInterface
         $customerSecure->setPasswordHash($this->createPasswordHash($newPassword));
         $this->getAuthentication()->unlock($customer->getId());
         $this->destroyCustomerSessions($customer->getId());
-        $this->sessionManager->destroy();
+        // $this->sessionManager->destroy(); // uncommented by patch
         $this->customerRepository->save($customer);

         return true;
-- 
2.17.1
peterjaap picture peterjaap on 1 Apr 2019

Hello @evgenyvas @peterjaap @hryvinskyi @maximbaibakov @LucasCalazans

Thank you for contribution and collaboration!

The corresponding internal ticket MAGETWO-93628was fixed and closed by Magento team

Delivered to 2.3-develop branch and should be available with 2.3.2 release
Please see details in the next commits:

  • a5635a2
  • 02a65d0
  • 4921f45
  • 184191f
  • a74b0c1

Internal ticket MAGETWO-93627 currently in the delivery queue and will be merged into 2.2-develop soon.
Should be available with 2.2.9 release

sdzhepa picture sdzhepa on 30 Apr 2019

@sdzhepa please establish practice of squashing changes properly, is not so easy to understand what happened there from 5 commits.

orlangur picture orlangur on 30 Apr 2019
👍4

Hi @orlangur , we'll reach out our core teams with your suggestion. Thank you for the input.

sidolov picture sidolov on 30 Apr 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

punkstar picture punkstar  路  3Comments
ostmond picture ostmond  路  3Comments
BenSpace48 picture BenSpace48  路  3Comments
gg24 picture gg24  路  3Comments
MauroNigrele picture MauroNigrele  路  3Comments