- Issue created by @greatmatter
- πΊπΈUnited States cilefen
Is the email system manipulating the link? What is the URL path logged by the web server in these cases?
- πΊπΈUnited States greatmatter
It's the same exact link; I even looked at the email source and pulled the link directly.
I then tested by putting the link into another website, clicking it, and had the same issue.
- πΊπΈUnited States cilefen
Do you have SameSite=strict on the session cookie? And what about that access log analysis?
- Status changed to Closed: works as designed
6 months ago 3:37pm 21 December 2023 - πΊπΈUnited States greatmatter
@cilefen - First and foremost: thank you for your guidance! This issue is obviously not a bug. And I learned something new today about SameSite. (For anyone else landing here for whatever reason, read this article about Same Site cookies, as I had no idea this setting impacted referred links.)
Back to the solution: Following your steps:
SameSite=Strict is on the session cookie (I stumbled across this thread while quadruple-checking things, heh)After setting SameSite=Lax, the link is working as intended.
The access log shows the correct link (though it doesn't matter, as the SameSite setting was causing the issue):
/user/login/?destination=/protected-pageThank you again!
- πΊπΈUnited States cilefen
Good. The more you explained the symptoms, the more this sounded like the expected behavior of browsers with
SameSite=strict
.