I have a new website. And the following is my scenario:
I will send an email to 5 people (numbers not important), inside the email, i will include a link for them to click:
www.domain.com/[email protected]&key=abc...xyz
They key are randomly generated using salt and sha1 in php. Upon click the link in their email, can I directly let them access the update profile page?? Or do I need to ask them login again?
If I directly let them access the update profile page, what are the security things I need to take care? I know the use of login, can store session, but, the thing is, they click the link from their email, and I think its quite private and safe.
The only security flaw I can think of is: the hacker can magically memorize the "key" (which is about 60++ characters), and then type in browser URL: www.domain.com/[email protected]&key=abc...xyz.
If the hackers can do that, then I am done. My users account will be hacked.
Is there anything else that hacker can hack? Just update profile page only.
Btw, if they already update their profile, should I remove the "key" in database??
I am using php and mysql