User reports having to change their password every time they try to log in (app uses devise authentication)


I’m curious what might cause a user to be prompted repeatedly to change their password with the devise gem.

I’ve looked through the documentation and I don’t see any module or anything that refers to forcing users to change their passwords.

I’ve tried to recreate the problem on my local machine, by downloading the production database, setting this user’s password to ‘password123’ or whatever, and then logging in, and I’m not seeing the issue they’re seeing.

Wondering if there might be anything I’m missing or if anyone has any suggestions or insight.


Maybe the user is not describing the issue accurately and rather means to say that the password they enter on the login page is not recognized? Maybe the password field used to set the new password (as part of the password reset flow) behaves differently than then one they use to subsequently log in, e.g. maybe they reset from a web app in a specific browser, and then log in from some other browser or mobile app and maybe they have some auto-correction feature which changes what they type but only when logging in or only when resetting, or maybe they have Caps Lock enabled in one case and not the other without realizing. I’d ask for more specific questions to understand their situation, e.g what kind of error message do they get exactly, maybe screenshots. Maybe encourage them to store the password in the memory of their browser or in a password manager or keychain to make sure it’s exactly inserted as intended. Or ask them to copy-paste the password from some temporary file so that they can visually check it’s spelled as they intended. Or you could maybe add a feature on the password field to toggle the visibility of what they are typing on/off.

Just some ideas… And I’d be curious to know what was the cause if you can figure it out!

The user says they’re entering their same password each time (so they’re not actually changing it), and it accepts their password, and they can log in. When they log out, and come back to the website, and log in again, they’re apparently being prompted to reset their password again.

That could very well be part of the problem, that they are not describing the issue properly.

I’ve checked in the database and they don’t have anything set for the “reset_password_token” column.

I think we solved it… we had the user clear their cache/cookies.

1 Like