Auto-login best practices

Question

I'm developing a web app that sends the user an email notification to complete a lesson/tutorial. I've added the ability to automatically login the user via the link in that email. This featured has been added to several services around the internet, most notable, OkCupid.

Here's how I've set up my table:

+----+-------------+-------------------+-----------+--------------+----------------------+
| id | key (22)    |  secret (40)      |  user_id  |  action      |  expires             |
+----+-------------+-------------------+-----------+--------------+----------------------+
|  1 | IbQlQW8Dn...|  hdC4dXQJUPA0...  |  1        |  lesson/14   |  2013-06-21 16:28:55 |
+----+-------------+-------------------+-----------+--------------+----------------------+

When a user visits a link via the email, something like: http://example.com/go/IbQlQW8Dn8PNXJFFwHQxwh/hdC4dXQJUPA0pU7I6eUiXawbnobYv0iThA [http:/example.com/go/key/secret]

The server first checks that the url isn't expired based on the date in the table. If it isn't expired, the user is automatically logged in using the user_id and then redirected to the given url in the action column. I used two separate values (key & secret) for the url just for added security (prevent fusking).

Now because of the nature of the site (video lessons), security isn't a huge concern, but I'd still like to know what best practices to consider.

• Should I limit the number of times a link can be used?
• Currently I have the link expire 60 hours (3 days) from when the email is sent. Should this be lowered?
• Obvious two risks for unauthorized access include someone forwarding the email or someone gaining access to the user's email account. Anything else to consider?

Thanks for everyones insight, if this should be moved to another section of StackExchange, please let me know. I know I've seen other best practice post on here in the past.

Answer 1

Sending an auto-login link is fairly similar in risk to sending password-reset links in email and lots of sites do that.

This is a judgement call that you have to make. There's not a shared decision matrix that people use to decide what is and isn't an acceptable risk. What you're making here is more of a business decision, you're weighing the security risks versus ease of use (which can translate to more users and more business).

You need to ask the question 'What's the absolute worst thing in terms of site availability, business reputation and user experience that can happen if this feature is mis-used?'.

Additional things you should be concerned about:

1. People plucking your auto-login links of off of shared wifi networks
2. Auto-login links ending up in the logs of proxies between your server and the client

I recommend making the links single-use only or keeping the expiration time low. You should also put in monitoring that will alarm if a link is being overused.

You should also make sure you're not vulnerable to SQL injection when you take the secret and query the DB.