Shared frontend user account + password reset

[alexander-dal]

Hi,

I have a website with a frontend-only member area. All users log in using a single shared account (basically a “collective” login). This user has no access to the control panel and no permissions to manage users.

Because of that, password management has to happen via a separate account with CP access. Currently, we’re using the “reset password via URL” flow from the control panel to update the shared account’s password.

After doing that, the client reported that they could no longer log into the dashboard with their normal admin account (403), even after they said they cleared their cache. That made me wonder:

• Could this be related to CSRF or caching issues (e.g. session / Blitz / reverse proxy)?
• Is there anything problematic about resetting a shared account password this way?

More generally:
Is there a better way to manage credentials for a shared login? Any recommended patterns for this kind of use case?

Would appreciate any thoughts or best practices. Thank you!

[brandonkelly]

A 403 error means the user is forbidden to do something – in this case that’s probably accessing the control panel. Definitely not related to CSRF, and unlikely a caching bug.

Perhaps that user’s permissions were accidentally reduced so it no longer has CP access?