diff --git a/core/views/user_registration.py b/core/views/user_registration.py
index 8741d7b..8af197d 100644
--- a/core/views/user_registration.py
+++ b/core/views/user_registration.py
@@ -162,30 +162,33 @@ def register(request, url_username=None):
     else:
         form = register_form(initial=initial_values)
     
- 
-
     if request.method == "POST":
         form = register_form(request.POST)
         if form.is_valid():
-            print("POST VALID")
+            print("POST VALID") # so now username and email fields are readonly
             un = form.cleaned_data["username"]
             pw= form.cleaned_data["password1"]
             email = form.cleaned_data["email"]
             expoers = User.objects.filter(username=un)
-            if len(expoers) != 0:            
-                # this is a password re-set, not a new registration. So we need to check it is the same person.
-                form_user = expoers[0]
-                if request.user != form_user:
-                    print(f"## UNAUTHORIZED Password reset ## {request.user} {form_user}")
-                    # return render(request, "login/register.html", {"form": form, "unauthorized": True}) 
+            # if this is LOGONABLE user and we are not logged on
+            # NOT just save the data ! Anyone could do  that..
+            # we are now in a state where password should only be re-set by email token
+            # but rather than redirect (off-putting) we just make the password fields read-only
+            if len(expoers) > 0:
+                form.fields["password1"].widget.attrs["readonly"]="readonly"
+                form.fields["password2"].widget.attrs["readonly"]="readonly"
+
             # create User in the system and refresh stored encrypted user list and git commit it:   
             updated_user = register_user(un, email, password=pw, pwhash=None)
             save_users(request, updated_user, email)
             # to do, login automatically, and redirect to control panel ?
-            return HttpResponseRedirect("/accounts/login/")
+            form.fields["username"].widget.attrs["readonly"]="readonly"
+            form.fields["email"].widget.attrs["readonly"]="readonly"
+            return render(request, "login/register.html", {"form": form, "email_stored": True}) 
+            # return HttpResponseRedirect("/accounts/login/")
     else: # GET
         pass
-    return render(request, "login/register.html", {"form": form, "warning": warning, "logged_in": logged_in})    
+    return render(request, "login/register.html", {"form": form})    
 
 
 def save_users(request, updated_user, email="troggle@exposerver.expo"):
@@ -350,7 +353,13 @@ class register_form(forms.Form):  # not a model-form, just a form-form
             ) 
         email = cleaned_data.get("email")
         users = User.objects.filter(email=email)
-        if len(users) != 0:
+        if len(users) > 1:
             raise ValidationError(
-                "Duplicate email address. Another registered user is already using this email address. Email addresses must be unique as that is how we reset forgotten passwords."
-            )              
\ No newline at end of file
+                f"Duplicate email address. Another registered user {users} is already using this email address. Email addresses must be unique as that is how we reset forgotten passwords."
+            )              
+        if len(users) == 1:
+            if users[0].username != un:
+                raise ValidationError(
+                    f"Duplicate email address. Another registered user '{users[0]}' is already using this email address. Email addresses must be unique as that is how we reset forgotten passwords."
+                    )
+                 
\ No newline at end of file
diff --git a/templates/login/register.html b/templates/login/register.html
index e832ade..2fc8219 100644
--- a/templates/login/register.html
+++ b/templates/login/register.html
@@ -68,11 +68,19 @@ So type in the same email address that you use there if you have already signed
 <div style='width: 700px; font-family: monospace; font-weight: bold; font-size: 150%; text-align: right; '>
     <form  method="post" accept-charset="utf-8">{% csrf_token %}
 <p>
+	{% if email_stored %}
+    <label for="id_username">Username <span style="color:blue">(checked)</span>:</label>
+	{% else %}
     <label for="id_username">Username:</label>
+	{% endif %}
     {{form.username}}
 </p>
 <p>
+	{% if email_stored %}
+    <label for="id_email">email <span style="color:blue">(stored)</span>:</label>
+	{% else %}
     <label for="id_email">email:</label>
+	{% endif %}
 	{{form.email}}
 </p>
 {% if logged_in  %}<!-- one we have initially logged in,
@@ -104,26 +112,39 @@ all later password chnages are done ONLY via email token password re-set-->
 		Get login token by email &rarr;
 	</button>
 {% else %}
-	<button  class="fancybutton"  
-	{% if logged_in  %}
+	<button  class="fancybutton"  type="button"
+	{% if logged_in or email_stored %}
 		style="padding: 0.5em 25px; font-size: 100%;" 
 	{% else %}
 		style="padding: 0.5em 25px; font-size: 100%; background: silver;"  
 	    disabled 	
 	{% endif %}
 		onclick="window.location.href='/accounts/password_reset/'" value = "Go to" >
-		Reset password
+		Confirm email
 	</button>
 	&nbsp;&nbsp;&nbsp;
 
-	<button  class="fancybutton"  style="padding: 0.5em 25px; font-size: 100%;" type = "submit" >
 	{% if logged_in  %}
+	<button  class="fancybutton"  style="padding: 0.5em 25px; font-size: 100%;" type = "submit" >
 	Change or confirm email &rarr;
-	{% else %}
-	Register &rarr;
-	{% endif %}
 	</button>
+	{% else %}
+		{% if email_stored %}
+		{% else %}
+		<button  class="fancybutton"  style="padding: 0.5em 25px; font-size: 100%;" type = "submit" >
+		Register &rarr;
+		</button>
+		{% endif %}
+	{% endif %}
+
 {%endif %}
+{% if email_stored %}
+	<button  class="fancybutton"  type="button"
+		style="padding: 0.5em 25px; font-size: 100%;" 
+		onclick="window.location.href='/accounts/login/'" value = "Go to" >
+	Login &rarr;
+	</button>
+{% endif %}
 </div>
 </form>
 </div>
diff --git a/templates/login/register_email.html b/templates/login/register_email.html
index 49e9791..1768168 100644
--- a/templates/login/register_email.html
+++ b/templates/login/register_email.html
@@ -24,6 +24,10 @@ Email change - for a personal login to Troggle
 <!--using template login/register_email.html -->
 </div>
 <!--ONLY for an expo-valid logged-on User
+
+The reason for separating this template from the other one (register.html) is that the logic
+gets very confused. So despite the partial duplication, it is easier to debug and maintain by
+having two separate templates.
 -->
 <h3>Register your email address</h3>
 
diff --git a/urls.py b/urls.py
index d873368..396e1b3 100644
--- a/urls.py
+++ b/urls.py
@@ -1,7 +1,7 @@
 from django.conf import settings
 from django.conf.urls.static import static
 from django.contrib import admin
-from django.contrib.auth.views import PasswordResetView  # class-based view
+from django.contrib.auth.views import PasswordResetView, PasswordResetConfirmView  # class-based views
 
 from django.urls import include, path, re_path
 
@@ -172,11 +172,12 @@ trogglepatterns = [
 #   NB setting url pattern name to 'login' instea dof 'expologin' with override Django, see https://docs.djangoproject.com/en/dev/topics/http/urls/#naming-url-patterns
     path('accounts/logout/',   expologout, name='expologout'), # same as in django.contrib.auth.urls
     path('accounts/login/',    expologin,  name='expologin'),  # same as in django.contrib.auth.urls
-    path("accounts/register/<slug:url_username>", register, name="re_register"),        # overriding django.contrib.auth.urls
+    path("accounts/register/<slug:url_username>", register, name="re_register"),    # overriding django.contrib.auth.urls
     path("accounts/register/", register,                name="register"),           # overriding django.contrib.auth.urls
     path("accounts/newregister/", newregister,          name="newregister"),        
     path("accounts/reset/done/", reset_done,   name="password_reset_done"), # overriding django.contrib.auth.urls
     path('accounts/password_reset/', PasswordResetView.as_view(form_class=ExpoPasswordResetForm), name='password_reset'),
+    path('accounts/reset/<uidb64>/<token>/', PasswordResetConfirmView.as_view(), name="password_reset_confirm"),
     path('accounts/', include('django.contrib.auth.urls')),  # see line 109 in this file NB initial "/accounts/" in URL
 
     path('person/<slug:slug>', person, name="person"),