I finished a website and when I send registration and password reset emails the login links are broken. They work fine from Thunderbird even with my gmail account, but they don't work from the gmail web interface. I have no idea what's the problem. Does the gmail client attach anything to the search part of the links or breaks unique identifiers?
Another problem that now after several trials and errors gmail blocked the email address I use. Emails no longer arrive not even to spam when the address is a gmail address. Is there any way to unblock it? The letter I use is really simple, just a few sentences about registration or password reset and a unique hyperlink to login.
I had to wait a few days and now email arrive again to my gmail account.
The other problem that links don't work is because of google url service cuts off the unique identifier from the search part of the url. I have no idea how to avoid this atm., but I am working on it.
What happens is the following:
The first URL is what I would expect, the second URL is what I get from google redirect. I have no idea why it works this way or how to avoid it. The first is base64 encoded JSON.
The normal URL:
https://example.com?uid=D4Geu4PNxvZtprWRJsx3JU1iqF4LBLw2bhNdqF6uVDS63RmCQbAugCwCDoMmYuGabpWVRUZjJcXxSjNIyjr%252BjsPK%252FmQE9wog%252F04MRwrdVg7WtCwe0IPiPRVCMhUi8O%252FoYjn%252BkiMo6g%253D%253D_6qQSOARh5wslVp29_jQ1rwZEprd8b2dEO%252FkNLZQ%253D%253D
Google URL redirect:
https://example.com?uid=D4Geu4PNxvZtprWRJsx3JU1iqF4LBLw2bhNdqF6uVDS63RmCQbAugCwCDoMmYuGabpWVRUZjJcXxSjNIyjr%2BjsPK%2FmQE9wog%2F04MRwrdVg7WtCwe0IPiPRVCMhUi8O%2FoYjn%2BkiMo6g%3D%3D_6qQSOARh5wslVp29_jQ1rwZEprd8b2dEO%2FkNLZQ%3D%3D
urldecode(normalURL):
https://example.com?uid=D4Geu4PNxvZtprWRJsx3JU1iqF4LBLw2bhNdqF6uVDS63RmCQbAugCwCDoMmYuGabpWVRUZjJcXxSjNIyjr%2BjsPK%2FmQE9wog%2F04MRwrdVg7WtCwe0IPiPRVCMhUi8O%2FoYjn%2BkiMo6g%3D%3D_6qQSOARh5wslVp29_jQ1rwZEprd8b2dEO%2FkNLZQ%3D%3D
It looks like Google uses URL decode on my URL, this is why it does not work. Not sure yet how to solve it, maybe with different encoding than base 64, so URI decoded and normal URI would be the same.
It turned out SLIM adds url encoding on its own to the query part, so I removed that from my code, because it caused double urlencoded query. Did not solve it.
I changed base64 to hex, did not solve it.
I managed to reproduce it finally without sending any email, so it is not email related either. I was able to reproduce it with a simple local HTML file. This is very odd, because it means that this is something referer dependent, but there wasn't any referer dependent line in my code.
I checked a lot of breakpoints in my code and for both link clicking and copy-pasting URI, the code did the exact same thing. So I ended up with the conclusion that the problem is not with my code.
I checked the HTTP headers, and for the link clicking case the session id changed for the session cookie. The session variables are dropped for these cases, so it is not a simple session_regenerate_id(), but something else.
I investigated further and found this in my code:
ini_set('session.cookie_samesite', 'Strict');
When I removed this line, it started to work properly. I don't get how dropping session data each time somebody clicks on a cross origin link gives anything from security perspective. Even with new session id, it does not even work as it is supposed to, because it drops the session I set in the first request.
"gmail"
-clicking_on_link->
"my_site?uid={uid}" + session_1_created
-redirect + session_1_and_its_data_dropped->
"my_site?main" + session2_created
empty_page
-copy_paste_link_to_address_bar->
"my_site?uid={uid}" + session_1_created
-redirect->
"my_site?main" + session_1_continued
Some vanilla PHP to reproduce it:
ini_set('session.cookie_samesite', 'Strict');
session_start();
$data = isset($_SESSION['data'])?$_SESSION['data']:0;
session_write_close();
++$data;
session_start();
$_SESSION['data'] = $data;
session_write_close();
if ($_SERVER['REQUEST_URI'] === '/')
var_dump($data);
else
header('Location: /');
exit;
Even more worrying that when I keep refreshing the same page the session is always dropped and I keep getting "1" printed with new session id. Only when I click in the address bar and hit enter starts to work properly, so I am certain this is a PHP bug with 8.0.26 or it does not make any sense from security perspective to keep dropping the session even on the same origin. It took me 5 annoying days to find it. Finally.