I just added a password-free login option to my website, which sends users a login link. If they click within 10 minutes, they are logged in and the cookies are configured in their browser to remember them.
If the user opens the link from the iPhone Gmail app, Safari will open a web view. Since cookies are not shared between web views and Safari, the user is only connected to Gmail. If they escape to Safari (by pressing the small Safari symbol), they are no longer connected.
Anyone else has any suggestions for solving this problem? This sounds like a significant usability issue for this type of connection, facing mobile users.
I have some ideas of workarounds. None feels particularly good.
- I could include an ephemeral token in the query string, which would allow the user to "escape" to Safari in less than X minutes while staying connected. This would require a complete redesign of the site to meet this query variable for the duration of a browsing session. It is also difficult to secure because the user can share a link with a friend and accidentally give him access to his account. Limiting IP addresses would be only a poor defense against that.
- The user can get to a "Click to sign in" page. This gives them at least the opportunity to talk to Safari, just then. But if they do not realize it, we go back to square one.