id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 29975,Password reset emails in combination with click tracking do not work with Intelligent Tracking Prevention on Safari for iOS 12 and macOS Mojave,Mat Gadd,nobody,"I wasn't sure whether or not to file this as a bug, since ''strictly'' it isn't a problem in the Django code, but at the very least having it here will help other people who are experiencing the issue understand what is happening. Users have started reporting that our password reset links sent out via email aren't working, and are showing the [https://github.com/django/django/blob/master/django/contrib/auth/views.py#L281 ""Password reset unsuccessful""] response instead. The reason for this is the click-tracking our email provider uses in combination with the ""Protection Against First Party Bounce Trackers"" feature of Safari on macOS and iOS, as [https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/ described on the WebKit blog]. What's happening is our email provider replaces our links with ones pointed at their servers with some query string to identify the user and destination, their server redirects to our password reset link, and Django's auth contrib attempts to set a cookie (this fails under ITP) then redirect, replacing the user's secret token in the URL with the internal token. Since the attempt to set a cookie fails, the user has no session and therefore no token, and the view won't present the user with the password form. We're planning to disable click tracking for these emails, which ''should'' mitigate the issue. An option to disable the redirect and internal token behaviour might be an idea for people that need click tracking or run into similar issues?",Bug,closed,contrib.auth,2.1,Normal,wontfix,"safari, privacy, auth, password reset",René Fleschenberg Jeff Bowen,Accepted,0,0,0,0,0,0