I found the issue and I should have seen this before now.
In the session, I set the samesite to ‘Strict’. So, when you click the link in the email the site opens and the session is started without access to the users cookies, so it can’t set the session.cookie. Then, on return the response and the site app runs again, it’s now a local request and samesite ‘Strict’ is allowed access to the users cookies, but the session flash object is empty, so the flash message is not displayed to the user.
This can be verified by checking your session files and there are 2 created from the 1 click in the email. The first has the flash messages, the second does not.
So, if you are going to send links to users to click and you need flash messaging to work, you have to use samesite ‘Lax’.
At least, I can’t think of anyway around this.
Any ideas?
After some thought, I’m wondering why I’m returning a response and why the response cycles through the app a second time instead of just rendering the view. I’m obviously doing something wrong and it’s not making any sense to me.
Does returning a response equate to a redirect? If so, then it makes sense that its cycling through the app twice. Update: According to the docs, using withHeader(‘Location’) is a redirect
Always more questions. Any help would be appreciated.
Thanks