If you want navigation to a URL to actually log a specific person in,
the tokens will have to be person-specific, won’t they? What do you
imagine the mechanics would be for getting a sending user to generate
one of those URLs? Are you trading recipient-convenience for
Would setting this up allow potential-senders to impersonate anyone by
generating and then navigating to one of these URLs?
As an alternative, consider setting a long-lived cookie when a user logs
in, and check for its presence as part of your authentication routine
(e.g., if cookie exists, assume they are legit & pass them on to the
destination page). That should cut down on the number of logins.
[mailto:firstname.lastname@example.org] On Behalf Of Ivor P.
Sent: Wednesday, October 15, 2008 5:36 AM
Subject: [Rails] login from token
I have users sending messages to other users with links in the email.
If the users click on the links in the email they go to the message in
the app, but invariably they arent logged in and have to do so before
getting to the page they want to go to.
I want to build a login_from_token functionality that would add a token
for the user who receives the email so that the link will go directly to
the page, and in the process log them in.
My question: How safe is this? Are their issues with this approach in
terms of privacy?
The email is supposed to be personal email accounts so in principle the
link would be as safe as the email account?
I would appreciate your thoughts.