When a Community User forgets their Password and uses the Forgot Your Password link and inputs their username they are sent a Password Reset Link via email.
If the customers email goes through a link scanner that checks links in their emails for malware or virus' etc. this link expires and when the user clicks on it they are sent to the same Forgot Your Password page that they originally used to request the Password Reset Link.
The Password Reset Link they receive is in the following format:
In order to get the Customer a link so they can reset their password we can send them a password reset link by clicking on the Reset Password Button on the User record for their Community User.
Sending them a Password Reset link using this method sends them a link in the following format:
https://support.whatevercommunity.com/login?c=LONGTOKENGOESHERE
This link does not expire until the link is actually used to reset the password or 24 hours whichever comes first. The email link scanner does not expire this link and I am even able to click on the link and not reset the password and still use this link another time and successfully get to the reset password page.
I have tried this using both the default SFDC reset password pages for a Community and using a custom Visualforce page that uses the forgotPassword() method to send the reset link email to the customer. Both of these options send the Customer the same formatted link as described above.
Is this a bug or expected behavior?
Is there anyway I can send a link in the same format that SFDC is sending when using the Reset Password Button found on the User record?
Best Answer
Here is what I have learned from the SFDC Success Community and the product managers there.
SFDC has been making changes that are supposed to help with preventing email scanners from following a password reset link by using both the robots.txt and meta tags on the html pages. I have not been able to get clarification on if I need to customize these when not using a template driven community.
Not all email scanners will honor these requests as well most likely.
Difficult to say if this outcome is properly defined as a bug however I have also discovered via discussions with them a different system method that can be used but is not recommended.
The method is System.resetPassword( ) This method Resets the password for the specified user.
SFDC does have a warning of : Be careful with this method, and do not expose this functionality to end-users.
The reason for this warning is this method resets the password to a randomly generated password immediately and sends the user a login URL via email that when followed requires the user change their password. This opens this up to possible abuse. I was told this password does not expire until used which I have not confirmed yet. I do know that if you try to use the link after resetting your password you will get a URL no longer exists error page with none of your sites formatting or branding.
This resetPassword( ) method does send the user a link using the login?c=... format I mention in the Original question. This allows the link to be scanned by the email scanner without causing it to expire as it only expires when the password is reset using the link unlike the forgotPassword( ) method.
Until finding a better solution I have put info on our reset password page letting users know if their link does not allow them to reset their password to put in a request for our support agents to send them a link that will work. I am hesitant to use the resetPassword( ) method based on their recommendation not to expose it to external users.
UPDATE: Salesforce Summer '18 has added a new intermediate page to keep password reset links from expiring until the end user decides to begin to actually reset their password. Details are in the Release Notes under "Keep Links in Forgot Password Emails from Expiring Prematurely" http://docs.releasenotes.salesforce.com/en-us/summer18/release-notes/rn_security_auth_forgot_password.htm