Make password reset email link same browser restriction configurable

When requesting a password reset in Create, the link in the email that is sent only works if it is opened in the same browser. Mine and I think a lot of other people’s general workflow when requesting password resets from a website is to request the reset using my desktop/laptop, see the email pop up on my phone, reset my password from my phone and then log back in using my desktop/laptop.

Can we please make the same browser session requirement a configurable option that can be switched off if the customer wishes.


Hi Sean,

Since both of you (!) and others are requesting this we will definitely look to make this optional.

We have had a quick look and unfortunately it is not going to be a quick change though.

Locking a full authentication flow to a single session in one browser on one device is a really nice security feature, so it would remain on by default after implementing this.