Contrib.social

One-time login links break in Gmail/Outlook if samesite: strict is set on session cookies (expected outcome of "strict")

Open on Drupal.org โ†’
Created on 14 November 2023, 7 months ago
Updated 12 February 2024, 4 months ago

Problem/Motivation

When using Gmail's web interface it is not possible to click on one-time login links.

This is a recent change, and it's not clear if it is related to updating to Drupal 10.1.6 or something on Google's end.

Copying the link from the page and manually pasting it into a browser does work...but most users aren't going to do this.

It seems Gmail is now directing links through their servers, probably for phishing scanning purposes. I can't say what is happening to these links, but something is changing which is breaking usability.

Normal password reset link

https://drupal-site.com/user/reset/13213/1699992232/vdoyJ-LvDK1wqFNnVy80nZgZIbYjjh2Bdk04SzzcI7Y

Where a user is sent when clicking a link in Gmail

https://www.google.com/url?q=https://drupal-site.com/user/reset/13213/1699992232/vdoyJ-LvDK1wqFNnVy80nZgZIbYjjh2Bdk04SzzcI7Y&source=gmail&ust=1700086657501000&usg=AOvVaw3IoBxbye61ghN-IFnfRHKn

Full a href code from Gmail

<a href="https://drupal-site.com/user/reset/13213/1699992232/vdoyJ-LvDK1wqFNnVy80nZgZIbYjjh2Bdk04SzzcI7Y" rel="noreferrer" target="_blank" data-saferedirecturl="https://www.google.com/url?q=https://drupal-site.com/user/reset/13213/1699992232/vdoyJ-LvDK1wqFNnVy80nZgZIbYjjh2Bdk04SzzcI7Y&amp;source=gmail&amp;ust=1700086657501000&amp;usg=AOvVaw3IoBxbye61ghN-IFnfRHKn">https://drupal-site.com/user/rese
<wbr>
t/1/1699992232/vdoyJ-LvDK1wqFN
<wbr>
nVy80nZgZIbYjjh2Bdk04SzzcI7Y
</a>

Steps to reproduce

1. Request a password reset link to Gmail address
2. Using a web browser, log in to Gmail and open the email
3. Click the link
4. You will be taken to a login page instead of being logged in.

Using something like Mail.app on macOS does not exhibit this issue.

Proposed resolution

I realize this is probably a Gmail problem, but it's a popular service and they are probably going to continue to do Gmail things.

I don't have a suggestion for how this can be fixed, only that I think it should be.

๐Ÿ’ฌ Support request
Status

Closed: outdated

Version

10.1 โœจ

Component
User systemย  โ†’

Last updated about 10 hours ago

Created by

jabeler

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @jabeler
  • Comment 7 months ago โ†’
    jabeler
  • Comment 7 months ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States mfb San Francisco

    I haven't seen this issue, so I'd say more investigation is needed to figure out in what circumstances gmail breaks the one-time login links.

  • Comment 7 months ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡ณIndia anushrikumari

    The browser handles the interpretation of every link present in Gmail.The data-saferedirecturl label is automatically appended.
    The link displayed on href in your browser appears to lead to one destination but redirects to a URL originating from Google, such as https://www.google.com/url?q= .By doing this, confidential information remains inaccessible to any external parties.

    So I think this is working as designed.

  • Status changed to Postponed: needs info 7 months ago
  • Comment 7 months ago โ†’
    ๐Ÿ‡ฆ๐Ÿ‡บAustralia larowlan ๐Ÿ‡ฆ๐Ÿ‡บ๐Ÿ.au GMT+10

    Perhaps a browser extension?

  • Comment 7 months ago โ†’
    ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom peterjlord

    I've just come across this problem
    Do we have any fixes?

  • Comment 7 months ago โ†’
    jabeler

    I havenโ€™t been able to find a workaround for this so far.

    I have also tried to replicate this on Drupal.org, but these links appear to work normally. We are running Drupal 10.1.6 on PHP 8.2, but am not sure what versions the main .org site is on. The reports we have been seeing do seem to coincide with the release of 10.1.6, but that could just be a coincidence.

    I have tried with and without browser plugins disabled, so I donโ€™t think that is related.

    This is definitely not a case of a malware scanner visiting a one-time link and invalidating it, because after clicking the link (and having it fail) I can copy/paste the link into a browser and it works. This of course is a direct link instead of being routed through Gmails servers.

    I suppose it could be related to a specific module installed on Drupal, but I canโ€™t say which may be causing an issue as there are no relevant log entires when the links fail. Hereโ€™s a list of the modules we currently have installed on the site. If others are seeing issues maybe can we narrow it down to one of these.

    • Add To Head 8.x-1.0-beta1
    • Admin Toolbar 3.4.2
    • Advanced CSS/JS Aggregation 6.0.0-alpha1
    • Aggregator 2.1.4
    • Backup and Migrate 5.0.3
    • Backup and Migrate: AWS S3 5.0.7
    • Block Classes 1.0.2
    • CAPTCHA 2.0.5
    • Chaos Tool Suite (ctools) 8.x-3.14
    • CloudFlare 2.0.0-alpha1
    • Coffee 8.x-1.3
    • Color backport 1.0.3
    • Discourse SSO 2.0.0-rc7
    • DXPR Theme Helper 1.0.4
    • Email Confirmer 8.x-1.0-beta7 (issue predates installation of this)
    • External Links 8.x-1.7
    • Font Awesome Icons 8.x-2.26
    • Gin Login 2.0.3
    • Gin Toolbar 8.x-1.0-rc4
    • Honeypot 2.1.3
    • Key 8.x-1.17
    • Login Email or Username 2.1.0
    • Mail System 8.x-4.4
    • Menu Items Visibility 1.1.0
    • Message Banner 2.0.0 (issue predates installation of this)
    • Metatag 2.0.0
    • Pathauto 8.x-1.12
    • Persistent Login 2.1.1
    • PHPMailer SMTP 2.2.3
    • Purge 8.x-3.5
    • reCAPTCHA 8.x-3.2
    • reCAPTCHA v3 2.0.2
    • Redirect 8.x-1.9
    • Redirect 403 to User Login 2.2.1
    • Schema.org Metatag 3.0.1
    • Simple XML sitemap 4.1.7
    • Token 8.x-1.13
    • Typed Data API enhancements 8.x-1.0-beta2
    • User Name Validation 8.x-1.2
    • Views Bulk Operations (VBO) 4.2.5
    • Zendesk remote authentication 3.0.0-alpha8
    • Bootstrap5 3.0.10
    • DXPR Theme | Drupal Theme | Low-code Drupal 10 Bootstrap Theme 5.2.0
    • Gin Admin Theme 8.x-3.0-rc7
  • Comment 7 months ago โ†’
    jabeler
  • Comment 7 months ago โ†’
    jabeler

    This is also broken when using outlook.live.com to view email.

    Links are being routed through: https://na01.safelinks.protection.outlook.com/?link

  • Comment 7 months ago โ†’
    ๐Ÿ‡ฆ๐Ÿ‡บAustralia larowlan ๐Ÿ‡ฆ๐Ÿ‡บ๐Ÿ.au GMT+10

    Is it specific to one browser?

  • Comment 7 months ago โ†’
    jabeler

    I have seen it in the latest versions of Safari and Brave on Mac, so I donโ€™t think itโ€™s browser specific.

  • Comment 7 months ago โ†’
    jabeler

    Update! I was able to locate a log entry which is created when these links fail.

    Path: /user/reset/xxxxxx. Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: in Drupal\user\Controller\UserController->getResetPassForm() (line 194 of /home/xxx/xxx/web/core/modules/user/src/Controller/UserController.php).

    I can replicate this issue 100% of the time by clicking reset links in both the gmail and outlook webmail UIs.

    As before, if I copy paste the link into a browser manually (either before or after clicking in the web UI) the reset link works as expected.

  • Comment 7 months ago โ†’
    jabeler

    I have tracked down a way to workaround this.

    Changing the cookie_samesite option in the siteโ€™s services.ymlfrom Strict to Lax allows these redirected links in Gmail and Outlook to work normally.

    Iโ€™m not certain if this broken behavior is expected or can be fixed, but I have added this info to the OP.

  • Status changed to Closed: outdated 4 months ago
  • Comment 4 months ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States cilefen
contrib.social Blog FAQ Discussions
Production build 0.69.0 2024