#ironclaw-verification-sessions

Hello! Was this previously working for you and just stopped working today?

Hey Karbi, yes, it seems to have started in the last 24 hours.

https://www.loom.com/share/6812c880f40f4bb5ab946cee1df259a8

If we remove the return_to parameter when setting up the Verification Session, it doesn't happen.

Interesting... can you share one of those verification session IDs so I can take a look?

vs_1LjyTJBGdECXA33jeiJzhRrh

Also, can you elaborate a bit on "when you copy the URL from the stripe portal it works fine"?

Thats from the video.

The URL generated here doesn't seem to cause this issue.

The URLs are actually different:

Portal: https://verify.stripe.com/start/live_YWNjdF8xQWtYR3JCR2RFQ1hBMzNqLF9NU3hRbHdCdFlmRzd6RmZIaEpSQVBCaWdSSG5kMEVZ0100FR4nIXXX

Site: https://verify.stripe.com/start/live_YWNjdF8xQWtYR3JCR2RFQ1hBMzNqLF9NU3VIajNnUUw3Z1VGRHdpdUVlR3NEOGEwaU5jUlN20100lz6PjXXX

My initial reaction is this would happen if your integration is for some reason, accidentally consuming the link - whereas when you copy it from the portal it's never been visiting so it's still valid. Is there anything about your integration that has changed and would cause the link to be consumed/visited?

Hmm. Can the link only be visited once?

And no, we've pushed no changes in the past ~48 hours that would impact this.

Also, it would not explain that it works as expected when we remove the 'return_url' parameter.

Yeah that's a good point with the addition of the return_url parameter - give me a bit longer to diig in

Lastly, in case this helps, we've found that this URL works:

https://www.example.co.uk/my-account

But this format seems to cause the bug:

https://www.example.co.uk/?return_to_example

In other words, the query variable seems to trigger it.

^^ These are what you specify for the return_url, correct?

Also can you give me a bit more detail on what specifically your code is doing to redirect the verification session URL?

Correct.

The code generates the Verification Session, and redirects the user to the returned URL.

And how specifically are you redirecting? To you send that URL to your frontend and redirect client-side, or doing a 302/303 redirect server-side

I'm also not able to reproduce this on my end yet...

I need to head out @fleet sleet, but if you need anything else @primal salmon is here to help

Thanks! I’ll reply here asap regarding the redirect.

So, in terms of the redirect, we're using WordPress, server side, and it would be a HTTP302

To clarify, the docs say: "The session URL is single-use and expires after 48 hours."

Does this imply the link can only be clicked once, or the same URL is valid for 48 hours?

Hi there 👋 taking over for @late light

Give me a few minutes to get caught up and I'll circle back

Just letting you know I'm still working on this, but I needed another pair of eyes, so I'll circle back once a conclusion is reached

No panic. We've done more testing and we're reasonable confident that the link is one use only or very short lived. It seems any user that gets the same link (We cache them) as this issue, but any Session we create on the fly and redirect them to, works

Interesting, that definitely makes sense with how similar URLs work in our system. When I tested this in test mode, it let me visit these URLs multiple times, but I had a feeling it might be different in live.

To confirm, can you maybe try making a session, print the URL to your console, and try manually visiting it twice?

Yeah, i think that was the issue, we only tested in test mode and went live on the weekend.

Sure, I'll give it a try.

Ok, I hit it a few times in a row and it worked. I'll give it an hour and try again.