Home > Software design >  Session and cookie lost when clicking a link from Gmail! Very Bizzzare
Session and cookie lost when clicking a link from Gmail! Very Bizzzare

Time:01-23

Brief Summary When I click a link from gmail, the cookies and sessions are lost. But if I copy the link in gmail and paste it in a blank tab, the cookies are retained!

Long Detail At www.mydomain.com, i set cookies and PHP session with following options:

$myCookieSessionOptions = array( 'lifetime' => (time() 60*60*24*363), 'path' => "/", 'domain' => "." . "mydomain.com", 'secure' => true, 'httponly' => true, 'samesite' => 'Strict' ); session_set_cookie_params ( $myCookieSessionOptions ) ; session_name("mySessionName"); session_start();

The above is the code both on page login.php and anotherpage.php. On login.php when I login and set sessions, etc. the session_id() shows up as c7a9c180b767e889ad0161dc613aec41, for example.

When i access anotherpage.php in a blank tab and with some GET parameters (and my code does nothing to the session), i get the same session_id().

However, when the same link for anotherpage.php (along with the get parameters) is sent in an email, then I get a totally new session_id: 3fc7f8749ba6eb46ddd35a0db3a17589 for example.

And in the other tab, which had login.php, the session is lost, as a new session is created, obviously.

The question is if this behaviour is normal?? And this is not with gmail alone, obviously. From "anyotherdomain.com", when i click on a link to my domain, no cookies are sent!

Very weird! Is there any documentation on this behavior?

Any help will be appreciated

session auto start is Off. Checked in phpinfo

And there's no code before the above that does anything at all with the sessions

Thanks

Rajan

CodePudding user response:

I figured it out! If I have samesite="none", the problem disappears

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

And tested it & it works fine.

As per the doc:

Strict Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.

  • Related