Clicking links in Windows 10

Evo

Hi all,

I just got a bug report for something I've been working on. It's a web-based laravel app; it uses a link as some sort of login system (for questionnaires). So, it receives an id and a random key, sets a cookie and redirects to the actual page to build the questionnaire.
Doesn't sound too strange, right? And all worked fine. Except on Windows 10.

The link is usually sent per e-mail or in a word document. When copy-pasting the link in the browser, it works fine. However, clicking a link in an e-mail or document doesn't. It doesn't update the login: when a user isn't logged in it shows an unauthorized message, and when another link has been clicked before the old one is served.

So I started debugging using Wireshark. I saw requests like this:

• GET request to the login (Server redirects)
• GET request to the redirected page (Server shows the appropriate page)
• GET request to the redirected page (Server shows the wrong page; different cookies/sessions are used here).

I tried to figure out where the second request came from, but I didn't have much to go on. Until suddenly I noticed the User-Agent header differed on the last request.
So, when you click a link in Windows 10 (at least from word/e-mail) it first uses "Internet Explorer" to visit the link. It sees it's a redirect, loads that page, and finally opens the browser only for that page.
Of course, that means all cookies are lost. The browser has no way at all to log in whatsoever.

Seriously, WTF? I'm not even sure how I'm supposed to fix this. It's going to be hacky for sure...

Edit: And no, it turned out not to be a permanent redirect...

marczellm

Javascript redirect? (I don't know about web dev so this might be a suggestion)

Evo

@marczellm said in Clicking links in Windows 10:

Javascript redirect? (I don't know about web dev so this might be a suggestion)

Yeah, I fixed it using a meta-refresh of a few seconds and a bullshit message. Still, this shouldn't even be a thing. I can't even...

Lorne Kates

@Evo said in Clicking links in Windows 10:

Except on Windows 10.

Just tell those people they're idiots, and include a link on how to install Windows 7.

Zmaster

I'll say straight away that I'm not a web developer.

Are you sure that you weren't using a Permanent Redirect? According to this page

List of HTTP status codes - Wikipedia

Permanent Redirect:
"This and all future requests should be directed to the given URI."

Temporary Redirect:
"In this case, the request should be repeated with another URI; however, future requests should still use the original URI"'

I always wondered what was the reason to have two different codes and what the practical implications were...

Scarlet_Manuka

@Evo said in Clicking links in Windows 10:

it first uses "Internet Explorer" to visit the link. It sees it's a redirect, loads that page, and finally opens the browser only for that page.

So, presumably any link you open gets pre-inspected by "IE" (I guess it's really some OS component doing some sort of safety thing) first? Guess that's one way to drive up IE's reported market share.

Dragnslcr

@Zmaster said in Clicking links in Windows 10:

Permanent Redirect:
"This and all future requests should be directed to the given URI."

Temporary Redirect:
"In this case, the request should be repeated with another URI; however, future requests should still use the original URI"'

I always wondered what was the reason to have two different codes and what the practical implications were...

In theory, if the server sends back a permanent redirect, the browser can assume that the URL will never again be an actual page, so the browser could do things like update bookmarks, delete cached files (or move them to the new URL), etc. I don't know if any browsers do anything special with permanent redirects, though.

sloosecannon

@Dragnslcr said in Clicking links in Windows 10:

I don't know if any browsers do anything special with permanent redirects, though.

Fairly certain Chrome remembers (some of?) them. I know it remembers when it gets redirected to https and does it automatically

error

@sloosecannon said in Clicking links in Windows 10:

@Dragnslcr said in Clicking links in Windows 10:

I don't know if any browsers do anything special with permanent redirects, though.

Fairly certain Chrome remembers (some of?) them. I know it remembers when it gets redirected to https and does it automatically

That's

HTTP Strict Transport Security - Wikipedia

But it does also cache permanent redirects. Which sucks when someone accidentally publishes a permanent redirect on the homepage of your site that sees 10k visitors on a slow day.

Edit: Beautiful OneBox. Five stars.

Evo

@Zmaster said in Clicking links in Windows 10:

I'll say straight away that I'm not a web developer.

Are you sure that you weren't using a Permanent Redirect? According to this page

List of HTTP status codes - Wikipedia

Permanent Redirect:
"This and all future requests should be directed to the given URI."

Temporary Redirect:
"In this case, the request should be repeated with another URI; however, future requests should still use the original URI"'

I always wondered what was the reason to have two different codes and what the practical implications were...

Actually, that would make some sense! So I went and tested it...
HTTP/1.1 302 Found

Nope, not a permanent redirect. Guess that would have made too much sense; we're talking about Microsoft here...