Is it simply an artifact of the old fear (still around in some places) of cookies? I also would like to know if it is bad practice to simply pass in user names from an outbound email.
views:
47answers:
1Nothing is stopping the web app from always remembering the user for as long as they want on particular computer without asking explicit permission from the user. However, doing so has security and privacy implications on shared computers.
Imagine you go to a cyber-cafe or a library, sit on a shared computer and login to your bank website (which you shouldn't do from such places anyway :-)). The bank website tries to be "smart" and persists a cookie with a ticket based on your credentials. When you're done, you close the browser without logging off. Next person sits down, opens the browser, looks at the history and goes to the bank site. And now they have magically access to all your money.
That would probably be the last time you use that bank for anything.
Update: To answer the second part of the question (and the comment below)
If you are afraid of URL injection, you should probably not specify the username in the email URL itself. Instead, generate a one-time token (you could use a one-way hash of the user name and a website secret for example), which wouldn't mean anything to an external site, but would allow you to extract the user identity and prepopulate the field on the page.
Keep in mind that you should not include in the URL in the email enough information, so that clicking on that link would authenticate the user to your site. You still want the user to prove their identity.