Menu
For many of the sites we develop, we verify the user's email address. Typically the workflow is such:
Clients often complain about this process being clunky and somewhat confusing, and I agree. The proposed solution is to remove step 3 and automatically log the user in after step 2.
I'm not sure if it matters (hence the question!), but I've always been wary of automatically logging a user in like this. What extra security risks should I consider before implementing the suggested solution?
This also applies in situations like password resets, where the user might be logged in automatically and then made to change their password.
For the sake of this question, let's assume that verifying the email is a hard requirement. I'm aware that there are situations where this isn't necessary, but let's talk about those where it is.
587
It depends on your application. You would never do that if you were running a banks website. You might do that if you were running a site like Flickr, Facebook, or various other social sites.
The other thing you may want to consider is providing only limited accessibility. I know Amazon does this in parts of their site. A user can browse the site as if they were logged in, but only to a point. Before they can do anything related to purchasing and orders, they have to supply their password.
Edit: One other issue, that just occurred to me. Make sure that you can invalidate the urls. Generate tokens in your database that you put in the emails, and then have a way to revoke those tokens. One way to do this is to put a counter on all of your user records and then copy that counter value into the token table when you generate the emails. If you ever need to revoke a large number of tokens quickly, you can simply increment the counter on the user record. You can then easily see that the token's counter does not match the users counter, so you can reject the token.
80
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
