New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UM design issue with the email “Activation” and “Reset password” links #845
Comments
UM Support history The error message “This activation link is expired or have already been used.” has been reported in the UM Support Forum for the last 4 years and if any reply by an UM developer the standard questions about "any caching" and "plugin/theme conflicts". Some Thread Starters are close to the issue with email clients pre-fetches but are being ignored by the UM developers. https://wordpress.org/support/topic/this-activation-link-is-expired-or-have-already-been-used-4/ https://wordpress.org/support/topic/this-activation-link-is-expired-or-have-already-been-used-3/ https://wordpress.org/support/topic/this-activation-link-is-expired-or-have-already-been-used-2/ 3 years, 8 months ago: Thread Starter:
UM Developer reply:
|
Today one additional user having this UM design issue with an email Activation link: |
I'm having the same issue. Outlook visits the links even if they are set to rel="nofollow", which results in the "This activation link is expired or have already been used." error for activation every time. |
In Outlook you can temporarily turn off Link preview:
|
A quick fix for this issue: https://github.com/MissVeronica/um-landing-page-for-email-links |
Support Forum post "The activation link is expired" https://wordpress.org/support/topic/the-activation-link-is-expired/ |
Support Forum post "Activation Link Expired (E-Mail Anti-Virus)" https://wordpress.org/support/topic/activation-link-expired-e-mail-anti-virus/ |
I am also having this problem on a couple of sites. It seems to happen quite commonly amongst users on corporate email accounts so the explanation that the email client is prefetching/scanning the links makes perfect sense. The solution suggested of having an intermediary page also makes a lot of sense. Is there any progress on this bug as I can't think of a way to work around it? It seems to be referenced in a number of forums, so one would assume it is quite commonplace amongst other users of this feature. |
Hey @ultimatemember, @champsupertramp, could the approach adopted here https://github.com/MissVeronica/um-landing-page-for-email-links by @MissVeronica be integrated into core? I discovered today that Office 365's 'safe links' feature appears to be following the link automatically before the user sees the email. I am concerned it may also be activating the account too, although it's difficult to test without access to an Office 365 account. If this is indeed the case, there is a potential data security/privacy risk. For example, if the activation feature is being used as a safeguard against a user registering for an account under someone else's email ID, then access could be granted automatically via the the malware scanner triggering the activation link without their consent. This could be a problem where additional pre-existing personal data is loaded into a WordPress account on login via a CRM integration based on the email address of the user. |
The quick fix for this issue has been updated to version 3 now supporting both pre UM 2.5.0 and UM 2.5.0: https://github.com/MissVeronica/um-landing-page-for-email-links UM 2.5.0 release notes Fixed: |
Hey @ultimatemember, @champsupertramp this still seems to be a problem with some emails hosts - namely Office365. Is the additional plugin by @MissVeronica still the only solution? |
Expected behavior
Clicking on the “Activation” or “Reset password” links received via email should Activate a new UM Account or make Password reset possible to perform for all UM users without any detailed instructions.
Isolating the problem (mark completed items with an [x]):
Examples from UM support forum during last week and a lot of hard work for the Thread Starters:
https://wordpress.org/support/topic/password-102/
https://wordpress.org/support/topic/this-activation-link-is-expired-or-have-already-been-used-5/
Describe the bug
There is an UM design issue with these “Activation” and “Reset password” links because many email clients do a pre-fetch of the link when the email is opened by the user and this pre-fetch makes the link invalid/old/used when the user clicks the link.
Other software like firewall/anti-virus/anti-malware might also do pre-fetches for analytical purposes without any user actively triggering it.
A rule from the direct mail community is:
UM is sending "Activation" and "Password reset" links which are HTTP GETs .
Hiding the link behind a HTML like "button" is no solution and HTTP POSTs are rarely supported by email clients.
To Reproduce
Steps to reproduce the behavior:
Microsoft and Google pre-fetch examples
Pre-fetch or link preview can be turned off in Outlook but this feature is on as default and turning off for users signing up for an UM driven site is NOT a solution.
https://support.microsoft.com/en-us/office/use-link-preview-in-outlook-com-and-outlook-on-the-web-ebbfd8ce-d38e-40ef-bb8c-a5362e881163
Click-time link protections in third-party email clients by Google: https://support.google.com/mail/answer/10173182?hl=en
Expected behavior/solutions
Today:
Add an attribute to the email templates both UM original and user modified with one-time-only links
rel="nofollow"
if not already done by a clever user.Looks like in this example:
.... letter-spacing: 0.3px;" rel="nofollow" href="{password_reset_link}"> ....
Hopefully some email clients will follow the attribute but they may also dismiss it.
Review other UM email templates for this attribute addon.
Short term:
Replace current strategy and create an UM intermediate landing page from the email link requiring the user to confirm their Activation/Password reset request with a HTTP POST, Review all email templates for the new setup.
The text was updated successfully, but these errors were encountered: