Shopping cart is emptied after reset password procedure

[evgenyvas]

Preconditions

1. PHP 7.0.27
2. MariaDB 10.1.26
3. Magento 2.1.12

Steps to reproduce

1. As a guest, put some items in shopping cart
2. Login -> Forgot Password
3. Enter Email, press "Reset Password" button
4. From mail press "Set a new password"
5. On "Forgot Password" page input new password. Shopping cart is still have items in it.
6. Press button "Set a new password"
7. Shopping cart is empty now.

Expected result

1. Shopping cart not empty after setting new password.

Actual result

1. Shopping cart empty after setting new password.

There are many users with random generated password, after transfer from old CMS. While checkout process they see account is existed, try to reset password and after that they see shopping cart is empty. It's embarrasing.

[evgenyvas]

As a workaround, I commented two lines in vendor/magento/module-customer/Model/AccountManagement.php, function resetPassword
$this->sessionManager->destroy();
$this->destroyCustomerSessions($customer->getId());
Did I break anything?

    public function resetPassword($email, $resetToken, $newPassword)
    {
        $customer = $this->customerRepository->get($email);
        //Validate Token and new password strength
        $this->validateResetPasswordToken($customer->getId(), $resetToken);
        $this->checkPasswordStrength($newPassword);
        //Update secure data
        $customerSecure = $this->customerRegistry->retrieveSecureData($customer->getId());
        $customerSecure->setRpToken(null);
        $customerSecure->setRpTokenCreatedAt(null);
        $customerSecure->setPasswordHash($this->createPasswordHash($newPassword));
        //$this->sessionManager->destroy();
        //$this->destroyCustomerSessions($customer->getId());
        $this->customerRepository->save($customer);

        return true;
    }

[peterjaap]

@evgenyvas you only have to comment out $this->sessionManager->destroy();. The destroyCustomerSessions method destroys customer sessions except the active one. But the active one is destroyed in $this->sessionManager->destroy();.

This appears to be introduced in 2.2.3; https://github.com/magento/magento2/blame/a952969a8c08928d356fab8d0fb35f4dbe5fe9ce/app/code/Magento/Customer/Model/AccountManagement.php#L613

This is obviously very annoying for customers.

For now, I just use a composer patch to fix this;

From 1de4b953e0da7ee29d586d770d79d857c3c9ca33 Mon Sep 17 00:00:00 2001
From: peterjaap <peterjaap@elgentos.nl>
Date: Tue, 22 May 2018 14:33:51 +0200
Subject: [PATCH 1/1] Uncommented destroying of active session after resetting
 password

Signed-off-by: peterjaap <peterjaap@elgentos.nl>
---
 Model/AccountManagement.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Model/AccountManagement.php b/Model/AccountManagement.php
index c1231a1..4469e5e 100644
--- a/Model/AccountManagement.php
+++ b/Model/AccountManagement.php
@@ -596,7 +596,7 @@ class AccountManagement implements AccountManagementInterface
         $customerSecure->setRpToken(null);
         $customerSecure->setRpTokenCreatedAt(null);
         $customerSecure->setPasswordHash($this->createPasswordHash($newPassword));
-        $this->sessionManager->destroy();
+//        $this->sessionManager->destroy();
         $this->destroyCustomerSessions($customer->getId());
         $this->customerRepository->save($customer);
 
-- 
2.17.0

[ghost]

Hi @evgenyvas thank you for your report.
We've acknowledged the issue and added to our backlog.

[ihor-sviziev]

@engcom-backlog-nazar wasn't this issue fixed by #14973 ? It looks like duplicate of #12362

[ghost]

Hi @ihor-sviziev No, just checked now still exist this issue

[ghost]

@ihor-sviziev This PR can fix this issue-> #17517

[peterjaap]

Backward patch for 2.2.6;

diff --git a/Model/AccountManagement.php b/Model/AccountManagement.php
index 8f25651..6e40f1a 100644
--- a/Model/AccountManagement.php
+++ b/Model/AccountManagement.php
@@ -670,7 +670,7 @@ class AccountManagement implements AccountManagementInterface
         $customerSecure->setRpTokenCreatedAt(null);
         $customerSecure->setPasswordHash($this->createPasswordHash($newPassword));
         $this->getAuthentication()->unlock($customer->getId());
-        $this->sessionManager->destroy();
+//        $this->sessionManager->destroy();
         $this->destroyCustomerSessions($customer->getId());
         $this->customerRepository->save($customer);
 
-- 
2.17.1

[peterjaap]

Backward patch for 2.2.7;

diff --git a/Model/AccountManagement.php b/Model/AccountManagement.php
index 8f25651..404d5e8 100644
--- a/Model/AccountManagement.php
+++ b/Model/AccountManagement.php
@@ -670,7 +670,7 @@ class AccountManagement implements AccountManagementInterface
         $customerSecure->setRpTokenCreatedAt(null);
         $customerSecure->setPasswordHash($this->createPasswordHash($newPassword));
         $this->getAuthentication()->unlock($customer->getId());
-        $this->sessionManager->destroy();
+        // $this->sessionManager->destroy(); // uncommented by patch
         $this->destroyCustomerSessions($customer->getId());
         $this->customerRepository->save($customer);
 
-- 
2.17.1

[hryvinskyi]

The same error on Magento 2.2.7
This commit: bc8d3d5 does not fix this error

[peterjaap]

Backward patch for 2.2.8;

diff --git a/Model/AccountManagement.php b/Model/AccountManagement.php
index 6387555..a753a7e 100644
--- a/Model/AccountManagement.php
+++ b/Model/AccountManagement.php
@@ -690,7 +690,7 @@ class AccountManagement implements AccountManagementInterface
         $customerSecure->setPasswordHash($this->createPasswordHash($newPassword));
         $this->getAuthentication()->unlock($customer->getId());
         $this->destroyCustomerSessions($customer->getId());
-        $this->sessionManager->destroy();
+        // $this->sessionManager->destroy(); // uncommented by patch
         $this->customerRepository->save($customer);
 
         return true;
-- 
2.17.1

[sdzhepa]

Hello @evgenyvas @peterjaap @hryvinskyi @maximbaibakov @LucasCalazans

Thank you for contribution and collaboration!

The corresponding internal ticket MAGETWO-93628was fixed and closed by Magento team

Delivered to 2.3-develop branch and should be available with 2.3.2 release
Please see details in the next commits:

• a5635a2
• 02a65d0
• 4921f45
• 184191f
• a74b0c1

Internal ticket MAGETWO-93627 currently in the delivery queue and will be merged into 2.2-develop soon.
Should be available with 2.2.9 release

[orlangur]

@sdzhepa please establish practice of squashing changes properly, is not so easy to understand what happened there from 5 commits.

[sidolov]

Hi @orlangur , we'll reach out our core teams with your suggestion. Thank you for the input.