tags:

views:

116

answers:

6
+3  Q: 

Is it a bad idea to automatically log users in from an email?

For many of the sites we develop, we verify the user's email address. Typically the workflow is such:

  1. User registers for site (activation email is sent with link to activate)
  2. User verifies email address (by clicking aforementioned link)
  3. User must log in to site in order to use it (assuming they weren't already logged in)

Clients often complain about this process being clunky and somewhat confusing, and I agree. The proposed solution is to remove step 3 and automatically log the user in after step 2.

I'm not sure if it matters (hence the question!), but I've always been wary of automatically logging a user in like this. What extra security risks should I consider before implementing the suggested solution?

This also applies in situations like password resets, where the user might be logged in automatically and then made to change their password.

For the sake of this question, let's assume that verifying the email is a hard requirement. I'm aware that there are situations where this isn't necessary, but let's talk about those where it is.

+4  A: 

It depends on your application. You would never do that if you were running a banks website. You might do that if you were running a site like Flickr, Facebook, or various other social sites.

The other thing you may want to consider is providing only limited accessibility. I know Amazon does this in parts of their site. A user can browse the site as if they were logged in, but only to a point. Before they can do anything related to purchasing and orders, they have to supply their password.

Edit: One other issue, that just occurred to me. Make sure that you can invalidate the urls. Generate tokens in your database that you put in the emails, and then have a way to revoke those tokens. One way to do this is to put a counter on all of your user records and then copy that counter value into the token table when you generate the emails. If you ever need to revoke a large number of tokens quickly, you can simply increment the counter on the user record. You can then easily see that the token's counter does not match the users counter, so you can reject the token.

dave mankoff  2010-08-27 17:04:54
Nice one about the tokens. It might not be necessary but it's easy to build if you think of it beforehand :)
extraneon  2010-08-27 17:24:49
Yeah, we built this into our authentication system. When a user changes their password, it increments their "tick" and assigns that client a new token. Any client currently logged into that account from a different location instantly gets logged out and asked to reauthenticate. And there's no need to worry about how many tokens are involved since there's only one database row that actually needs to change (as opposed to deleting all associated tokens which could be an arbitrary number.)
dave mankoff  2010-08-27 17:31:08
I'm not sure I understand this tick/counter idea. Isn't it just `DELETE FROM user_tokens WHERE user_id IN (/*...*/)` vs. `UPDATE users SET counter = counter+1 WHERE user_id IN (/*...*/)`? What's the advantage of the latter?
notJim  2010-08-27 17:42:57
Theoretically, one user could have multiple tokens. With the delete, you could end up deleting *a lot* of rows, depending on your application. With the counter, you are limited to the number of users on your system (just one user if that's all you need to expire). Neither scales perfectly, but with the counter, you can quickly invalid a modest number of users easily.
dave mankoff  2010-08-27 17:59:52
Ahh, that makes sense.
notJim  2010-08-27 18:22:47
+4  A: 

I'd make sure there is a time limit on the validness of the link in the email and make it only valid for one click.

Jessta  2010-08-27 17:09:16
+1  A: 

At a minimum,

  • put a hard time limit on how long the link is active (1-2 days?)
  • make it work exactly once. No matter what happens after the first time it is used, if it gets used again, a 404 gets issued.
BCS  2010-08-27 17:09:47
A: 

I would automatically login the user if and only if they have clicked a "Remember me on this computer" check box at step 1

Thierry-Dimitri Roy  2010-08-27 17:22:24
A: 

There is nothing wrong with using an e-mail address as a user identifier. It tells you the person who is doing the registration has access to that e-mail address at that particular time. But I do think the link should expire, and if the link expires, kick out that e-mail address out of your database (as it may be someone elses e-mail).

As e-mail is not secure, nor very personal (there are a number of free temporary e-mail sites on the web) you can't really use e-mail in a situation where trust is important. But for a simple website where you want some kind of accounts I don't think it is an issue.

To your opninion on point 2, in my opinion, if you don't have step 2, you also don't have to bother with step 1 and 3.

If you don't let the user verify the e-mail address, you shouldn't even ask it. You wouldn't have a clue wether it was a real address, corresponding to the person who tries to make an account.

If you don't have an e-mail address, there is no way a user could be given a new password, as you don't know where to send it to. The e-mail address entered might belong to someone else, who doesn't even want to have an account on your site.

If you can't reset the password via an e-mail address (reliably), you shouldn't bother with logging in at all. Go for an accountless site.

This assumes you do not use a callcenter or helpdesk to verify accounts, and handle password resets of course.

extraneon  2010-08-27 17:23:48
I'm not sure I understand. We're not considering removing the verification step. Instead, we're considering logging the user in automatically once they've verified their email.
notJim  2010-08-27 17:46:45
Then i misunderstood the question. Logging in with the confirmation link is a great idea imho.
extraneon  2010-08-27 18:40:16
+2  A: 
erickson  2010-08-27 17:23:59

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security