- Issue created by @jabeler
- ๐บ๐ธUnited States mfb San Francisco
I haven't seen this issue, so I'd say more investigation is needed to figure out in what circumstances gmail breaks the one-time login links.
- ๐ฎ๐ณIndia anushrikumari
The browser handles the interpretation of every link present in Gmail.The data-saferedirecturl label is automatically appended.
The link displayed on href in your browser appears to lead to one destination but redirects to a URL originating from Google, such as https://www.google.com/url?q= .By doing this, confidential information remains inaccessible to any external parties.So I think this is working as designed.
- Status changed to Postponed: needs info
7 months ago 9:22am 15 November 2023 - ๐ฆ๐บAustralia larowlan ๐ฆ๐บ๐.au GMT+10
Perhaps a browser extension?
- ๐ฌ๐งUnited Kingdom peterjlord
I've just come across this problem
Do we have any fixes? I havenโt been able to find a workaround for this so far.
I have also tried to replicate this on Drupal.org, but these links appear to work normally. We are running Drupal 10.1.6 on PHP 8.2, but am not sure what versions the main .org site is on. The reports we have been seeing do seem to coincide with the release of 10.1.6, but that could just be a coincidence.
I have tried with and without browser plugins disabled, so I donโt think that is related.
This is definitely not a case of a malware scanner visiting a one-time link and invalidating it, because after clicking the link (and having it fail) I can copy/paste the link into a browser and it works. This of course is a direct link instead of being routed through Gmails servers.
I suppose it could be related to a specific module installed on Drupal, but I canโt say which may be causing an issue as there are no relevant log entires when the links fail. Hereโs a list of the modules we currently have installed on the site. If others are seeing issues maybe can we narrow it down to one of these.
- Add To Head 8.x-1.0-beta1
- Admin Toolbar 3.4.2
- Advanced CSS/JS Aggregation 6.0.0-alpha1
- Aggregator 2.1.4
- Backup and Migrate 5.0.3
- Backup and Migrate: AWS S3 5.0.7
- Block Classes 1.0.2
- CAPTCHA 2.0.5
- Chaos Tool Suite (ctools) 8.x-3.14
- CloudFlare 2.0.0-alpha1
- Coffee 8.x-1.3
- Color backport 1.0.3
- Discourse SSO 2.0.0-rc7
- DXPR Theme Helper 1.0.4
- Email Confirmer 8.x-1.0-beta7 (issue predates installation of this)
- External Links 8.x-1.7
- Font Awesome Icons 8.x-2.26
- Gin Login 2.0.3
- Gin Toolbar 8.x-1.0-rc4
- Honeypot 2.1.3
- Key 8.x-1.17
- Login Email or Username 2.1.0
- Mail System 8.x-4.4
- Menu Items Visibility 1.1.0
- Message Banner 2.0.0 (issue predates installation of this)
- Metatag 2.0.0
- Pathauto 8.x-1.12
- Persistent Login 2.1.1
- PHPMailer SMTP 2.2.3
- Purge 8.x-3.5
- reCAPTCHA 8.x-3.2
- reCAPTCHA v3 2.0.2
- Redirect 8.x-1.9
- Redirect 403 to User Login 2.2.1
- Schema.org Metatag 3.0.1
- Simple XML sitemap 4.1.7
- Token 8.x-1.13
- Typed Data API enhancements 8.x-1.0-beta2
- User Name Validation 8.x-1.2
- Views Bulk Operations (VBO) 4.2.5
- Zendesk remote authentication 3.0.0-alpha8
- Bootstrap5 3.0.10
- DXPR Theme | Drupal Theme | Low-code Drupal 10 Bootstrap Theme 5.2.0
- Gin Admin Theme 8.x-3.0-rc7
This is also broken when using outlook.live.com to view email.
Links are being routed through:
https://na01.safelinks.protection.outlook.com/?link
- ๐ฆ๐บAustralia larowlan ๐ฆ๐บ๐.au GMT+10
Is it specific to one browser?
I have seen it in the latest versions of Safari and Brave on Mac, so I donโt think itโs browser specific.
Update! I was able to locate a log entry which is created when these links fail.
Path: /user/reset/xxxxxx. Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: in Drupal\user\Controller\UserController->getResetPassForm() (line 194 of /home/xxx/xxx/web/core/modules/user/src/Controller/UserController.php).
I can replicate this issue 100% of the time by clicking reset links in both the gmail and outlook webmail UIs.
As before, if I copy paste the link into a browser manually (either before or after clicking in the web UI) the reset link works as expected.
I have tracked down a way to workaround this.
Changing the
cookie_samesite
option in the siteโsservices.yml
fromStrict
toLax
allows these redirected links in Gmail and Outlook to work normally.Iโm not certain if this broken behavior is expected or can be fixed, but I have added this info to the OP.
- Status changed to Closed: outdated
4 months ago 1:44pm 12 February 2024