Django allauth password reset doesn't work when clicking the link from email, but works otherwise

Question

What is supposed to happen:

The request is completely handled by the django-allauth package which is supposed to detect the token, save it to the session, redirect to the 'change your password' page, and finally load the token from the session.

The problem:

The password reset function does not work when clicking the link from the email (Bad Token), but if I copy-paste the link into the url bar or click the href in Inspect Element mode it DOES work.
Note: It also works if

• I reload the page after seeing "Bad Token"
• I click the link from inside an email app on my mobile device

The error:

When you click the link from your email you make it all the way to the 'change your password' page but you get a "Bad Token" error as no Token was found in the session.

Format of the link emailed to the user:

<a href="https://subdomain.url.com/ls/click?upn=DEcd6nIgEEAvb4Zt..." rel="noreferrer" safedirecturl="https://www.google.com/url?q=https://sudomain.url.com/...">link text</a>

For clarification, both the href and the safedirecturl work fine if I copy-paste it into the url bar

Conclusion:

So far, these are my only guesses at the cause of the issue:

• An external website is referring the user to the page.
  • The safedirecturl works which seems to contradict this.
• The token is not saved in the session in time (race condition?)
  • This seems unlikely to me since in django-allauth source code I saw that the token is set in the session before the final redirect.

I would greatly appreciate any input as I'm a bit stumped at this point

Answer 1

Since in my django settings I had SESSION_COOKIE_SECURE = True, I had to change SESSION_COOKIE_SAMESITE = 'Strict' to SESSION_COOKIE_SAMESITE = 'Lax'