Contrib.social

When external link has a referrer, /user/login?destination= shows login screen when logged in if samesite: strict is set on session cookies (expected outcome of "strict")

Open on Drupal.org β†’
Created on 20 December 2023, 6 months ago
Updated 12 February 2024, 4 months ago

We've created an email that gets sent to users that contains a link to a login-protected page:
https://example.com/user/login/?destination=/protected-page

When that link is visited directly (ie, typed in or copy/pasted), it works as designed: if a user is logged in already, they are redirected to /protected-page. If they are not logged in, they are asked to log in, then are redirected.

However, if the link is clicked (ie, from an email notification), the login screen is presented no matter what. If the user simply selects the URL in the address bar and hits [enter], the page loads normally.

Unless this is done intentionally (and I can't imagine why), I believe this is a bug.

πŸ’¬ Support request
Status

Closed: works as designed

Version

10.2 ✨

Component
User systemΒ  β†’

Last updated about 9 hours ago

Created by

πŸ‡ΊπŸ‡ΈUnited States greatmatter

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @greatmatter
  • Comment 6 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cilefen

    Is the email system manipulating the link? What is the URL path logged by the web server in these cases?

  • Comment 6 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States greatmatter

    It's the same exact link; I even looked at the email source and pulled the link directly.

    I then tested by putting the link into another website, clicking it, and had the same issue.

  • Comment 6 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cilefen

    Do you have SameSite=strict on the session cookie? And what about that access log analysis?

  • Status changed to Closed: works as designed 6 months ago
  • Comment 6 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States greatmatter

    @cilefen - First and foremost: thank you for your guidance! This issue is obviously not a bug. And I learned something new today about SameSite. (For anyone else landing here for whatever reason, read this article about Same Site cookies, as I had no idea this setting impacted referred links.)

    Back to the solution: Following your steps:
    SameSite=Strict is on the session cookie (I stumbled across this thread while quadruple-checking things, heh)

    After setting SameSite=Lax, the link is working as intended.

    The access log shows the correct link (though it doesn't matter, as the SameSite setting was causing the issue):
    /user/login/?destination=/protected-page

    Thank you again!

  • Comment 6 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cilefen

    Good. The more you explained the symptoms, the more this sounded like the expected behavior of browsers with SameSite=strict.

  • Comment 4 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cilefen
contrib.social Blog FAQ Discussions
Production build 0.69.0 2024