I have users sending messages to other users with links in the email.
If the users click on the links in the email they go to the message in
the
app, but invariably they arent logged in and have to do so before
getting to
the page they want to go to.
I want to build a login_from_token functionality that would add a token
for
the user who receives the email so that the link will go directly to the
page, and in the process log them in.
My question: How safe is this? Are their issues with this approach in
terms
of privacy?
The email is supposed to be personal email accounts so in principle the
link
would be as safe as the email account?
If you want navigation to a URL to actually log a specific person in,
the tokens will have to be person-specific, won’t they? What do you
imagine the mechanics would be for getting a sending user to generate
one of those URLs? Are you trading recipient-convenience for
sender-inconvenience?
Would setting this up allow potential-senders to impersonate anyone by
generating and then navigating to one of these URLs?
As an alternative, consider setting a long-lived cookie when a user logs
in, and check for its presence as part of your authentication routine
(e.g., if cookie exists, assume they are legit & pass them on to the
destination page). That should cut down on the number of logins.
I have users sending messages to other users with links in the email.
If the users click on the links in the email they go to the message in
the app, but invariably they arent logged in and have to do so before
getting to the page they want to go to.
I want to build a login_from_token functionality that would add a token
for the user who receives the email so that the link will go directly to
the page, and in the process log them in.
My question: How safe is this? Are their issues with this approach in
terms of privacy?
The email is supposed to be personal email accounts so in principle the
link would be as safe as the email account?
I would simply store the request uri in the session,
redirect the user to the login page and after successful
login redirect him to the requested page.
I am using restful_authentication and have the login required process as
Thorsten described.
What I wanted to do is allow a user to send a message to another user.
In
the mailer I want to call a method to append a token to that url that is
specific to the user who will receive the email. When the user follows
the
link, i do a login_from_token and delete the token. Thus the token is a
one
time auto-login for a specific user with no extra effort for the user
sending the message and allowing the user following the link to skip the
login page.
I am going with the remember-me cookie method, but I am still curious if
there is a problem with what I want to do. I’m assuming private email is
a
secure way of sending the receiving user a link that would allow them
auto-login. I dont use remember me cookies - i grew up in a family where
we
shared a pc so I just never got in the habbit and login in everywhere
just
seems a PITA. My email is pasword protected so it should be enough proof
that I am who I am. The fact that the token only works once would also
minimize the risk that a user sends the link to someone else allowing
them
to access their account.
I dont want to waste anyone’s time. I am going with remember me, but if
someone is interested from an academic perspective I would enjoy their
input.