Opened 21 months ago

Last modified 17 months ago

#29975 new Bug

Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave

Reported by: Mat Gadd Owned by: nobody
Component: contrib.auth Version: 2.1
Severity: Normal Keywords: safari, privacy, auth, password reset
Cc: René Fleschenberg, Jeff Bowen Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I wasn't sure whether or not to file this as a bug, since strictly it isn't a problem in the Django code, but at the very least having it here will help other people who are experiencing the issue understand what is happening.

Users have started reporting that our password reset links sent out via email aren't working, and are showing the Password reset unsuccessful response instead. The reason for this is the click-tracking our email provider uses in combination with the "Protection Against First Party Bounce Trackers" feature of Safari on macOS and iOS, as described on the WebKit blog.

What's happening is our email provider replaces our links with ones pointed at their servers with some query string to identify the user and destination, their server redirects to our password reset link, and Django's auth contrib attempts to set a cookie (this fails under ITP) then redirect, replacing the user's secret token in the URL with the internal token. Since the attempt to set a cookie fails, the user has no session and therefore no token, and the view won't present the user with the password form.

We're planning to disable click tracking for these emails, which should mitigate the issue.

An option to disable the redirect and internal token behaviour might be an idea for people that need click tracking or run into similar issues?

Change History (7)

comment:1 Changed 21 months ago by Tim Graham

Triage Stage: UnreviewedSomeday/Maybe

The DevelopersMailingList reaches a wider audience than this ticket tracker. You can write there to ask if there's a consensus to make a change in Django.

comment:2 Changed 19 months ago by René Fleschenberg

I filed an issue on the WebKit bug tracker: https://bugs.webkit.org/show_bug.cgi?id=193502

comment:3 Changed 19 months ago by René Fleschenberg

Cc: René Fleschenberg added

comment:4 Changed 19 months ago by René Fleschenberg

Just for the record: I believe this affects all users who use Safari in combination with Gmail, which seems to be a somewhat popular combination.

comment:5 Changed 18 months ago by Tim Graham

Triage Stage: Someday/MaybeAccepted

The django-developers discussion seems to suggest that we'll take some action to improve the situation.

comment:6 Changed 18 months ago by Jeff Bowen

Cc: Jeff Bowen added

comment:7 Changed 17 months ago by Mat Gadd

Hi all,

Thanks to the excellent work by Flávio Juvenal over on ticket #30250, we now have a workaround for this issue. It turns out to be a bug in Safari where it incorrectly handles cookies set with SameSite=lax, so setting CSRF_COOKIE_SAMESITE and SESSION_COOKIE_SAMESITE to None in your project settings will avoid this issue until Apple get around to deploying a fix for Safari.

Note: See TracTickets for help on using tickets.
Back to Top