unbelievably funny to figure out that a weird, hard to debug session bug is actually because twitter is doing some bullshit to track you across websites more easily.
full summary coming once the fix is up
(you might need to clear your cohost cookie to get the fix. signing out and back in won't do it, but clicking on a cohost link from twitter will.)
MOST URL SHORTENERS use a 300-range redirect HTTP code to tell your browser the long url. This is the standard, it works with everything, it's great, everyone loves it.
Twitter, however, is an advertising company and thus needs to track you cross-site, which they do by handling t.co redirects in a non-standard way. This collided with our cookie security settings (SameSite: strict, for those who care) so that if you clicked a t.co link to cohost, your browser wouldn't send up an auth cookie, so the server would give you a new one, so you would be logged out. We have fixed this by changing to SameSite: lax, which it turns out is actually the browser default now. Neat!
Thank you @wren for discovering this bug. It's a dumb one.
