0

I have a wordpress based website and use SMS to send users a link containing a key which will allow them to reset their password in wordpress. On a Samsung Android phone the SMS is received by the default Samsung Messages app. The problem is that the app by default (therefore for most of my users) opens the link using a WebView, not the phones full browser, a browser within the Messages app itself. The user enters a new password which my website saves no problem but when it then logs them in using the following standard wordpress code the login fails and the user remains logged out:

  wp_set_current_user($user_id, $user->user_login);
  wp_set_auth_cookie($user_id);
  do_action('wp_login', $user->user_login);

If then I try to manually log in within the webview it will also fail. I'm finding very few resources talking about this issue and I'm unsure how best to solve. I can't find anything that lets you indicate within a url that webview should not be used (not surprisingly but worth a search), or anything even to let me reliably detect the message has been opened in a webview so a 'please copy and paste the sms link' message could be displayed to the user to work around the issue - not ideal but better than them being baffled why they can't log in. ($_SERVER['HTTP_USER_AGENT'] for the webview on a test Samsung phone gives me:

HTTP_USER_AGENT: Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-A510F/A510FXXS8CSF3) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/10.2 Chrome/71.0.3578.99 Mobile Safari/537.36

I assume the issue is being caused because WebView doesn't allow cookies to be stored, thus breaking wordpress login. Can anyone suggest a good way to workaround the issue?

Adam Pulley
  • 1
  • 1
  • check this https://stackoverflow.com/questions/2566485/webview-and-cookies-on-android – Manthan Tilva Dec 05 '19 at 07:27
  • Thanks I had come across this but the answers I think are based on the developer having control of the WebView (as are various other resources I've found), not on the web site developer having no control over the WebView Samsung have decided to implement within their Messages app – Adam Pulley Dec 05 '19 at 11:44

1 Answers1

0

I can't find anything that lets you indicate within a url that webview should not be used (not surprisingly but worth a search), or anything even to let me reliably detect the message has been opened in a webview so a 'please copy and paste the sms link' message could be displayed to the user to work around the issue

There is no workaround for this issue - you can not detect wether its running in webView or in actual browser. Our company CTO and I have searched solution for this issue for months now. Google documentation says, that webview adds "wv" into user-agent, but it doesn't.

Here is the google link: https://developer.chrome.com/docs/multidevice/user-agent/ that says:

WebView UA in Lollipop and Above

In the newer versions of WebView, you can differentiate the WebView by looking for the wv field as highlighted below.

Mozilla/5.0 (Linux; Android 5.1.1; Nexus 5 Build/LMY48B; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.65 Mobile Safari/537.36

Web developers do not have control over android/iOS application, that opens your URL via webview

Jean-François Fabre
  • 137,073
  • 23
  • 153
  • 219
vax
  • 1
  • 2