Best practices for Automatic login via notification emails?

2 points

13 years ago

I'm developing a web app that sends the user an email notification to complete a lesson/tutorial. I've added the ability to automatically login the user via the link in that email. This featured has been added to several services around the internet, most notable, OKcupid.

Here's how I've set up my table: http://cl.ly/Q1K2

When a user visits a link via the email, something like: http://example.com/go/IbQlQW8Dn8PNXJFFwHQxwh/hdC4dXQJUPA0pU7I6eUiXawbnobYv0iThA [http:/example.com/go/`key`/`secret`]

The server first checks that the url isn't expired based on the date in the table. If it isn't expired, the user is automatically logged in using the `user_id` and then redirected to the given url in the `action` column. I used two separate values (`key` & `secret`) for the url just for added security (prevent fusking).

Now because of the nature of the site (video lessons), security isn't a huge concern, but I'd still like to know what best practices to consider.

• Should I limit the number of times a link can be used? • Currently I have the link expire 60 hours (3 days) from when the email is sent. Should this be lowered? • Obvious two risks for unauthorized access include someone forwarding the email or someone gaining access to the user's email account. Anything else to consider?

1 comment

1 comment