Best practices for Automatic login via notification emails?
Here's how I've set up my table: http://cl.ly/Q1K2
When a user visits a link via the email, something like: http://example.com/go/IbQlQW8Dn8PNXJFFwHQxwh/hdC4dXQJUPA0pU7I6eUiXawbnobYv0iThA [http:/example.com/go/`key`/`secret`]
The server first checks that the url isn't expired based on the date in the table. If it isn't expired, the user is automatically logged in using the `user_id` and then redirected to the given url in the `action` column. I used two separate values (`key` & `secret`) for the url just for added security (prevent fusking).
Now because of the nature of the site (video lessons), security isn't a huge concern, but I'd still like to know what best practices to consider.
• Should I limit the number of times a link can be used? • Currently I have the link expire 60 hours (3 days) from when the email is sent. Should this be lowered? • Obvious two risks for unauthorized access include someone forwarding the email or someone gaining access to the user's email account. Anything else to consider?
1 comment
[ 5.6 ms ] story [ 12.1 ms ] threadI'm assuming your site's sessions are longer than the timeout of the sign-in link, so most users won't need to sign in multiple times in a short period anyway.
Also, a couple related links, if you haven't seen them:
http://notes.xoxco.com/post/27999787765/is-it-time-for-passw... https://nopassword.alexsmolen.com