英文:
Password reset links are broken in gmail, session being dropped, php bug
问题
我完成了一个网站,当我发送注册和密码重置电子邮件时,登录链接是错误的。它们在Thunderbird上运行正常,即使是使用我的Gmail帐户,但在Gmail Web界面上无法正常工作。我不知道问题出在哪里。Gmail客户端是否附加了任何内容到链接的搜索部分或者破坏了唯一的标识符?
另一个问题是,经过多次尝试和错误后,Gmail阻止了我使用的电子邮件地址。邮件不再到达,甚至不在垃圾邮件中,当地址是Gmail地址时。有没有办法解锁它?我使用的信件非常简单,只是关于注册或密码重置的几句话,以及一个唯一的登录超链接。
英文:
I finished a website and when I send registration and password reset emails the login links are broken. They work fine from Thunderbird even with my gmail account, but they don't work from the gmail web interface. I have no idea what's the problem. Does the gmail client attach anything to the search part of the links or breaks unique identifiers?
Another problem that now after several trials and errors gmail blocked the email address I use. Emails no longer arrive not even to spam when the address is a gmail address. Is there any way to unblock it? The letter I use is really simple, just a few sentences about registration or password reset and a unique hyperlink to login.
答案1
得分: 0
以下是您要翻译的内容:
I had to wait a few days and now email arrive again to my gmail account.
The other problem that links don't work is because of google url service cuts off the unique identifier from the search part of the url. I have no idea how to avoid this atm., but I am working on it.
What happens is the following:
The first URL is what I would expect, the second URL is what I get from google redirect. I have no idea why it works this way or how to avoid it. The first is base64 encoded JSON.
It looks like Google uses URL decode on my URL, this is why it does not work. Not sure yet how to solve it, maybe with different encoding than base 64, so URI decoded and normal URI would be the same.
It turned out SLIM adds url encoding on its own to the query part, so I removed that from my code, because it caused double urlencoded query. Did not solve it.
I changed base64 to hex, did not solve it.
I managed to reproduce it finally without sending any email, so it is not email related either. I was able to reproduce it with a simple local HTML file. This is very odd, because it means that this is something referer dependent, but there wasn't any referer dependent line in my code.
I checked a lot of breakpoints in my code and for both link clicking and copy-pasting URI, the code did the exact same thing. So I ended up with the conclusion that the problem is not with my code.
I checked the HTTP headers, and for the link clicking case the session id changed for the session cookie. The session variables are dropped for these cases, so it is not a simple session_regenerate_id(), but something else.
I investigated further and found this in my code:
ini_set('session.cookie_samesite', 'Strict');
When I removed this line, it started to work properly. I don't get how dropping session data each time somebody clicks on a cross origin link gives anything from a security perspective. Even with a new session id, it does not even work as it is supposed to, because it drops the session I set in the first request.
"gmail"
-clicking_on_link->
"my_site?uid={uid}" + session_1_created
-redirect + session_1_and_its_data_dropped->
"my_site?main" + session2_created
empty_page
-copy_paste_link_to_address_bar->
"my_site?uid={uid}" + session_1_created
-redirect->
"my_site?main" + session_1_continued
Some vanilla PHP to reproduce it:
ini_set('session.cookie_samesite', 'Strict');
session_start();
$data = isset($_SESSION['data'])?$_SESSION['data']:0;
session_write_close();
++$data;
session_start();
$_SESSION['data'] = $data;
session_write_close();
if ($_SERVER['REQUEST_URI'] === '/')
var_dump($data);
else
header('Location: /');
exit;
Even more worrying that when I keep refreshing the same page the session is always dropped, and I keep getting "1" printed with a new session id. Only when I click in the address bar and hit enter starts to work properly, so I am certain this is a PHP bug with 8.0.26 or it does not make any sense from a security perspective to keep dropping the session even on the same origin. It took me 5 annoying days to find it. Finally.
英文:
I had to wait a few days and now email arrive again to my gmail account.
The other problem that links don't work is because of google url service cuts off the unique identifier from the search part of the url. I have no idea how to avoid this atm., but I am working on it.
What happens is the following:
The first URL is what I would expect, the second URL is what I get from google redirect. I have no idea why it works this way or how to avoid it. The first is base64 encoded JSON.
The normal URL:
https://example.com?uid=D4Geu4PNxvZtprWRJsx3JU1iqF4LBLw2bhNdqF6uVDS63RmCQbAugCwCDoMmYuGabpWVRUZjJcXxSjNIyjr%252BjsPK%252FmQE9wog%252F04MRwrdVg7WtCwe0IPiPRVCMhUi8O%252FoYjn%252BkiMo6g%253D%253D_6qQSOARh5wslVp29_jQ1rwZEprd8b2dEO%252FkNLZQ%253D%253D
Google URL redirect:
https://example.com?uid=D4Geu4PNxvZtprWRJsx3JU1iqF4LBLw2bhNdqF6uVDS63RmCQbAugCwCDoMmYuGabpWVRUZjJcXxSjNIyjr%2BjsPK%2FmQE9wog%2F04MRwrdVg7WtCwe0IPiPRVCMhUi8O%2FoYjn%2BkiMo6g%3D%3D_6qQSOARh5wslVp29_jQ1rwZEprd8b2dEO%2FkNLZQ%3D%3D
urldecode(normalURL):
https://example.com?uid=D4Geu4PNxvZtprWRJsx3JU1iqF4LBLw2bhNdqF6uVDS63RmCQbAugCwCDoMmYuGabpWVRUZjJcXxSjNIyjr%2BjsPK%2FmQE9wog%2F04MRwrdVg7WtCwe0IPiPRVCMhUi8O%2FoYjn%2BkiMo6g%3D%3D_6qQSOARh5wslVp29_jQ1rwZEprd8b2dEO%2FkNLZQ%3D%3D
It looks like Google uses URL decode on my URL, this is why it does not work. Not sure yet how to solve it, maybe with different encoding than base 64, so URI decoded and normal URI would be the same.
It turned out SLIM adds url encoding on its own to the query part, so I removed that from my code, because it caused double urlencoded query. Did not solve it.
I changed base64 to hex, did not solve it.
I managed to reproduce it finally without sending any email, so it is not email related either. I was able to reproduce it with a simple local HTML file. This is very odd, because it means that this is something referer dependent, but there wasn't any referer dependent line in my code.
I checked a lot of breakpoints in my code and for both link clicking and copy-pasting URI, the code did the exact same thing. So I ended up with the conclusion that the problem is not with my code.
I checked the HTTP headers, and for the link clicking case the session id changed for the session cookie. The session variables are dropped for these cases, so it is not a simple session_regenerate_id(), but something else.
I investigated further and found this in my code:
ini_set('session.cookie_samesite', 'Strict');
When I removed this line, it started to work properly. I don't get how dropping session data each time somebody clicks on a cross origin link gives anything from security perspective. Even with new session id, it does not even work as it is supposed to, because it drops the session I set in the first request.
"gmail"
-clicking_on_link->
"my_site?uid={uid}" + session_1_created
-redirect + session_1_and_its_data_dropped->
"my_site?main" + session2_created
empty_page
-copy_paste_link_to_address_bar->
"my_site?uid={uid}" + session_1_created
-redirect->
"my_site?main" + session_1_continued
Some vanilla PHP to reproduce it:
ini_set('session.cookie_samesite', 'Strict');
session_start();
$data = isset($_SESSION['data'])?$_SESSION['data']:0;
session_write_close();
++$data;
session_start();
$_SESSION['data'] = $data;
session_write_close();
if ($_SERVER['REQUEST_URI'] === '/')
var_dump($data);
else
header('Location: /');
exit;
Even more worrying that when I keep refreshing the same page the session is always dropped and I keep getting "1" printed with new session id. Only when I click in the address bar and hit enter starts to work properly, so I am certain this is a PHP bug with 8.0.26 or it does not make any sense from security perspective to keep dropping the session even on the same origin. It took me 5 annoying days to find it. Finally.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论