Hey Token, Stop logging me out!

Hey Token, Stop logging me out!

11.0 Core Complete

The use of tokens seems to interact with a preexisting login/session in an undesirable way.  Easiest explained with an example:

1. Alisha Admin logs into the external site and checked the "keep me logged in" box. Navigation within the site works and she remains logged in for a long duration.
2. Alisha receives an email with a tokenized link restricted to /page/1234 to enter Group Attendance (e.g., {{ Person | PersonTokenCreate:null,null,1234 }}).
3. Alisha clicks on the email, and is taken to page/1234 and enters attendance.
4. Alisha navigates to the home page, or any other page, and is no longer logged in.

Especially for active people that may be using tokenized links frequently, they will feel like they are constantly having to re-login to the website.

Not knowing the internals, but presumably the token created a new session, effectively clobbering the previous one and that session, being limited to page/1234 becomes invalid and logs the person out.

This idea recommends a change to the token-handling such that upon navigation using a token, if a logged-in user session already exists and is equivalent or superior to the passed rckipid token (e.g., person's existing session would allow navigation to that page already), then the token should be effectively ignored or at least not affect the existing token/session.

Here is some simple HTLM/Lava that can be placed in an HTML block on a test page to demonstrate:

{% assign pageId = 'Global' | Page:'Id' | AsInteger %}
{% assign token = CurrentPerson | PersonTokenCreate:null,null,pageId %}
<h3>Hello {{ CurrentPerson.FullName }}</h3>
Here is a tokenized link for you for, for only this page, id: {{ pageId }}<br>
First, <a href="/page/{{ pageId }}?rckipid={{ token }}">click here</a><br>
Then, <a href="/page/1">click here</a> (notice: you are no longer logged in)

Photo of Steve Lipinski Submitted by Steve Lipinski, First Church of God of Columbia City  ·   ·  Core
Photo of Nick Airdo Complete Nick Airdo, Spark!  · 

Great idea! It will be in v11.

Planned Version 11.0
Ministry Strength 1 / 5
Login to add a comment...

  • Jim Michael

    Just circling back to say I did in fact use a different domain for the token/link in the email we sent for contribution statements, and it worked great! It was an ideal case because we were sending them to one single page (the contribution statement), just at a different site/domain. So no one was logged out of the main website just because they viewed their contrib statement. Again, I think this needs to be fixed per this issue, but at least there's a workaround that is viable for some tokenized link use-cases.

  • Jim Michael

    While I think this is a good idea and would like to see the problem addressed in some way, to work around this today I've been toying with the idea of using a completely different domain through which to deliver certain tokenized links... particularly ones delivered to mobile (texted) where the person clicks to launch or get back to a workflow instance.

    For example, our main domain is but we also own (mainly used for URL shortening), and I think we could work around this issue -- at least for a large subset of our tokenized link needs -- by delivering the link via (which, especially on mobile, no one will even notice anyway) and thus avoid the "logs me out of the website" issue altogether.