I send out html email on user activation with token that I encode with rawurlencode().
So - link appears in email like this:
<a href="http://site.com/auth?action=confirmActivation&user=79&token=zlKoFo%22f%27g%3FtUb%27%29Z~L1%25zKh%5EG%23_Aj%5Ckbbbd4fdb9121b50f643f12c937ab1c03d5f09861" target="_blank">Click here to activate your account</a>
When however I click on this link, my page url looks like this:
http://site.com/auth?action=confirmActivation&user=79&token=zlKoFo%22f%27g%3FtUb%27%29Z~L1%25zKh^G%23_Aj%5Ckbbbd4fdb9121b50f643f12c937ab1c03d5f09861
So - token before (this is how it appear in my email):
zlKoFo%22f%27g%3FtUb%27%29Z~L1%25zKh%5EG%23_Aj%5Ckbbbd4fdb9121b50f643f12c937ab1c03d5f09861
Token after:
zlKoFo%22f%27g%3FtUb%27%29Z~L1%25zKh^G%23_Aj%5Ckbbbd4fdb9121b50f643f12c937ab1c03d5f09861
Looks like my browser does some conversion automatically when I click? Why?
This is because %5E (^) is being urlencoded by PHP (which encodes all non-alphanum chars except -_). This is not RFC-compliant. The browser sees this, and "fixes" the encoding to be RFC-compliant by decoding everything, then encoding only the chars that cause issues in URLs (^ not being one of them). The php rawurlencode is RFC compliant, but really, the browser may not itself by RFC-compliant, and may only encode things like spaces and ~, etc. I would suggest that you just urldecode whatever token you get and use that result, which will be consistent either way. If you have troublesome chars in the token, base64 encode it to solve that.