Hacker News new | ask | show | jobs
by AlchemistCamp 1782 days ago
> "This sounds like it would break a bunch of email address verification systems, password recovery links and the like."

This is exactly the pain I've experienced with my own site, https://alchemist.camp

I've manually tested it and seen the token consumed when clicking the link via gmail but had no issues when copying the link from the password reset email to a gmail account. A second manual tester confirmed the same, as have multiple support cases.

Password recovery links sporadically fail for gmail users. I had to add extra instructions to copy and paste rather than click through the link and am in the process of moving away from single-use tokens because a lot of people still click before reading those instructions and email me for support.

My increased customer support burden isn't something Gmail PMs worry about, but they may whitelist some larger service's emails.
2 comments
konha 1782 days ago
Instead of copy and paste you could have a POST form on your site to trigger the actual reset (with a hidden field pre-populated from the params of the email link). Gmail and others won’t touch it. They assume a GET is free from side effects and that it is safe to load your link because of that.
link
lazide 1782 days ago
Why not make them 2 use tokens?

Not quite as secure, but way better than never expires?

link
jsf01 1782 days ago
Or after initial token use, set to expire after n seconds rather than immediately
link
AlchemistCamp 1782 days ago
That's exactly the approach I'm leaning towards using.
link
faeyanpiraat 1782 days ago
Or you could trigger an ajax call on the page that actually checks the token validity then redirect the user to a new password or a sorryexpired form.

Gmail may fetch the page but wont run the js on it.

Edit: this works for situations when spam filters fetch the links as soon as the mail arrives.

link
labawi 1782 days ago
Yes, please ruin functionality without javascript for the sake of gmail's nosiness.

Comment about a form and PUT/POST is good - it will work by standards in any browser, even when gmail starts executing javascript. Add auto-submit on top javascript if preferred.

link