Session is lost when clicking link from email

Are there any parameters in the url in the mail? What if you send yourself a link manually?

Thanks. There is no parameters. I sent the link to myself, clicked it and it happened again. For whatever reason, it's starting a new session because it can't find the original one (I still see it accessible whether I use file, cookie, database session storage)

If I breakpoint on Illuminate\Auth\Middleware\Authorize@handle the authorize statement returns true after logging in, but when I click the link in email, it returns null.

Here's some more info on the error. It stopped killing the session when I changed config/session.php http_only from true to false.

I am not sure why that's causing an issue, but the URL being generated is an HTTPS URL in the email. Exactly like it is when I open it successfully manually.

I am going to push this code change to production and see if it really solves the issue.

UPDATE: This did not fix the issue in production; it only started working fine in local dev. The only difference should be the HTTPS cert.

I cannot see any reason why this should happen.

Can you try creating a brand new project and testing it out of the box?

What are you using to serve the website? Apache2? Valet?

Agreed, it's very confusing especially since the issue doesn't happen when I disable http_only. Need to test same code on a different host now. I am using nginx on RedHat.

It worked locally in dev but not in production. Production is a HIPAA compliant environment, so I am starting to wonder if there is something being stripped out in the request/response causing this issue.

When you click the link in the email, presumably the same browser is opened that you already have open on this site? The browser should present its still valid session cookie for that domain to the server and the server should find an active session and reuse it.

open your browser network tools and check what is sent, and if any redirects happen.

There is a mailgun (from rackspace) generated link that does a 302 redirect to the expected URL. It's the typical tracking URL. I have disabled click tracking for now on mailgun just to make sure, but would be surprised if rackspace was causing this.

Other than that, there's nothing else happening on click.

@number6 Are you using Safari?

I'm having the exact same issue and i've noticed it only happens when opening links using Safari.

I thought it was caused by some misconfiguration in my app but I set up a fresh Laravel installation and the same happens.

Make sure your session.php is configured with "same_site" => "lax" instead of "strict": your email provider has a different domain, so in strict mode your app will refuse its cookies (in GET, it still refuses cookies in POST using "lax").

Whoooho @spotlightd THANKS! 'same_site' => 'lax' helped.

I had issue: on link click (in smartsheet/google sheet) session values from GET is missing.

But when I copy/paste same link from (sheet) to browser - session works as should. Also click on same link from Email (thunderbird) was working correctly.

Thank you @spotlightd for that comment. This was happening to me. It was driving me absolutely nuts trying to solve this. Adjusting 'same_site' to 'lax' did also solve this issue for me.

I am running into the same issue with outlook web. However I found that outlook is adding this in the header when you click the link: -strict-origin-when-cross-origin. I believe this is what is causing the issue. I still haven't found a solution.