Lets assume following flow:
Why, after performing these steps, am I not logged in but instead presented with log-on screen? If we refer back to 1. then it seems obvious that I would like to log in.
Are there any use cases when someone would like to change their password via "forgot my password" link and then not log in? Unless I'm missing something obvious, the intention is clear and identity was established by using reset link from email.
Please tell what are your thoughts, please tell whether the user should be logged in after resetting the password?
Related: Should confirm email links autologin if the user is not logged in? (my answer would be yes)
In my opinion: YES.
The authentication has been done when the password is reset, so the user could be logged in. And it annoys the hell out of me when after password reset I'm not logged in.
I can't think of any case I wouldn't want to be logged in after resetting password, why would I even ask for password reset if I don't want to log in?
For the vast majority of situations users should be logged in once they have reset their password. Essentially, once you've authenticated someone enough for them to change a password, you've also authenticated them enough for them to perform the task that they likely wanted to perform.
There are however some relatively rare situations where this isn't feasible:
Where you have a username for a system, but it isn't clear which site you need to log into. For example, if you're an accountant and have a username / password for an online accounting system that you use for many clients. Often there will be separate domain names for each client such as
client2.accounting.com. Here resetting your password would apply across all related sites, but it isn't clear which site you should log into.
If the authentication is handled by a separate system to the the application. It's not that it wouldn't be good UX to do this, just that it may be a large technical headache, and so not considered worth the cost.
No. While it seems to be annoying, I see four problems with not having to enter the login information again:
Why not create two buttons "Change password & Login" and "Just change password"? Having another option doesn't hurt in my opinion.
The situation is bit controversial. Actually it depends upon the user's perspective of how the user reacts depending upon the situation.
We can explain the situation by using 2 point of views :
From user's point of view, it is obvious that he/she may think of not entering the password again once he/she changed that. In that case the user may be annoyed and think that re-entering the password will be sheer waste of time. So, it is correct not to enter the password again.
From the technical perspective(especially testing point of view), it may happen that the user might have logged in the account few days back using any other device like mobile,tablets etc.
So, once the password is reset, then the user is again prompted for entering the new password so that the confirmation will be sent to the system as the password is changed. Hence it is required to enter the password again.