From 9e1723c537fee06503a65613398a0953b1dc0042 2017-01-29 08:58:40
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: 2017-01-29 08:58:40
Subject: [PATCH] Redirect with token in session (#24416).

git-svn-id: http://svn.redmine.org/redmine/trunk@16287 e93f8b46-1217-0410-a6f0-8f06a7374b81

---

diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb
index ece857a..54a29fb 100644
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -60,12 +60,20 @@ class AccountController < ApplicationController
   # Lets user choose a new password
   def lost_password
     (redirect_to(home_url); return) unless Setting.lost_password?
-    if params[:token]
-      @token = Token.find_token("recovery", params[:token].to_s)
+    if prt = (params[:token] || session[:password_recovery_token])
+      @token = Token.find_token("recovery", prt.to_s)
       if @token.nil? || @token.expired?
         redirect_to home_url
         return
       end
+
+      # redirect to remove the token query parameter from the URL and add it to the session
+      if request.query_parameters[:token].present?
+        session[:password_recovery_token] = @token.value
+        redirect_to lost_password_url
+        return
+      end
+
       @user = @token.user
       unless @user && @user.active?
         redirect_to home_url