Password-less log in with webviews
I just added a password-less log in option to my website, which emails users a login link. If they click it within 10 minutes, they are logged in and cookies are set in their browser to remember them.
If the user opens the link from the iPhone Gmail app, it will open Safari in a webview. Since cookies are not shared between webviews and Safari, the user is only logged in within Gmail. If they escape to Safari (by pressing the little Safari symbol), they are no longer logged in.
Does anyone else have suggestions of a neat way to solve this issue? It feels like a significant usability problem for this type of log in, when faced with mobile users.
I have some ideas for workarounds. None feel particularly great.
- I could include a short-lived token in the query string, which would enable the user to 'escape' to Safari within X minutes and still be logged in. This would require a significant site overhaul to respect this query variable for the duration of a browsing session. It's also difficult to secure, since the user might share a link with a friend and accidentally give them access to their account. IP address limiting would only be a mediocre defence against this.
- The user could arrive at a "Click to login" page. That at least gives them the option to break out to Safari, right at that moment. But if they don't realise that, we are back to square one.