3
I have a system, with login and password, that sends notification, by email, to users, when a certain situation occurs. When the user clicks on the email notification link, it is redirected to an internal system page, HOWEVER, if the user is not logged in to the system, it will be barred. The question is, how to "auto-login" this user at the time of redirect?
4
Never log in automatically based on links that are received by email.
There are an infinite number of scenarios that can make the email reach another person and/or the email be read by third parties.
That poses a high security risk because you’re giving access without credential validation! If the email is not in the hands of its real owner, they can access the supposedly protected area without more than a click on a link... imagine the sea of problems that result from!
I suggest you rethink your strategy to ensure that the link works but you always have to enter your password at the very least.
I suggest that the login is always done through user input, where after successful validation you can direct it to the link page in the email:
In the email comes the link:
When you arrive at the page without login:
// apanhar URL atual
$urlAtual = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
// guardar na sessão
$_SESSION["minhaSessao"]["redirect"] = $urlAtual;
// login e tal...
// login correu bem, direcionar:
header('Location: '.$_SESSION["minhaSessao"]["redirect"]);
Note:
The success of this operation and/or the methodology varies depending on how the login is performed and how the session is handled.
3
You can add a column called token in the users table and every time you need to send a notification, generate a new token and send the link to an activation route where you can read the token sent.
You can generate the token as follows:
$token = bin2hex(openssl_random_pseudo_bytes(16));
The route would be something like:
www.seusite.com.br/ativa-notificacao/a127be805346054046f75a31f8e4043d
On this page you should check if there are any users on your system with this token, if yes, you take that user’s information and save what you need in the session, as if they had logged in.
When the token is validated and logged in to your system, delete the user token and only generate another one when you need to send another notification. It is very important this process, otherwise someone may have access to another user’s token and log in to their name.
I recommend this solution because I use it to validate emails when someone creates an account in my system, send an activation email.
My system is not a notification system, it’s a pet search system. Sending notifications is just a "task" that the system has to warn other users. In this case, what you are suggesting is, instead of logging in, as I said, the system allows the user to access the system, existing or not this token? But can’t this cause problems in the system? Because it bars the access if the user does not log in.
@Gustavosevero, I am not suggesting a replacement, I am suggesting an additional way to log your users through the link, so the link itself will activate the user’s session.
2
Authenticating a user directly from an email, although it is a very interesting feature from a user experience point of view, needs to be implemented with care and balance from a system security point of view.
I will present some approaches, which include some things that the other answers have already talked about.
As @Zuul mentioned, email link authentication is a major security issue. This includes two main reasons:
Link-based authentication is easy to intercept. The Urls you access are stored in logs and can be tracked in various ways. There are several ways a person can access the link and pass themselves by you. On the other hand, user authentication and password in forms, when used on a secure connection, are not stored and cannot be viewed by a third party who is monitoring traffic between client and server.
Emails can be answered and forwarded, mistakenly displaying the restricted link to third parties.
Even so, we can think of different ways to improve the user experience with direct links without compromising security so much.
The most secure way that does not affect the user experience so much is to have the email link point to a page that performs the following procedure:
Check if the user is logged in. If the user is logged in will have a cookie or something that identifies him, right?
2.1. If authentication occurs, simply redirect the request to the e-mail link.
2.2 If the user is not authenticated, the system displays the login page. After the user login, the system should then redirect him to the email link.
In this approach, the original link can be stored in the URL itself. Examples:
E-mail address:
http://servidor/administracao/secao1
Address of login screen:
http://servidor/login?page=administracao/secao1
This way after login it is possible to know which screen the user should be redirected to.
The authentication approach makes it necessary for the user to authenticate. However, the login can be maintained longer than the current browser session. For example, Evernote has a login option to "remember the user for a week". This means that the user would not need to authenticate for a week. Note that this is only feasible for private computers.
This is the approach mentioned by the user @gerep. The idea is to generate a single token per link so that no one can guess it and then invalidate the token after its use.
The problem with this approach is that the user will certainly try to repeat the same action some time later and will be denied access. This is good from a security point of view, but a bad user experience.
Another alternative that some sites like Linkedin use is to generate a token that is not invalidated, however, it gives only restricted access to the system.
In the case in question, the token can give access only to the screen referring to the email. Or maybe to screens that are only data view.
If the user tries to access some action or editing in the system, then login complete would be required.
Finally, define the level of security and, depending on the system, you can use a mixed set of approaches.
Browser other questions tagged php
You are not signed in. Login or sign up in order to post.
Okay @Zuul, got it. So these emails we receive from notifications from a system where we have registration, such as Free Market, which lets you know when someone bought a product from you and gives you a link to see the purchase, isn’t correct? Or do these companies have, use some secure way to do this redirect? Valeu.
– GustavoSevero
@Gustavosevero These emails will link to the web-site, but if the login is not active, the "normal" is to present the login page so that the user authenticates and then is directed to the correct page. If you already have active login, the web-site knows this and sends the user directly to the correct page. Override login for convenience is to throw away all application security.
– Zuul
Sorry @Zuul, that was it!!!! That’s right, how you can make this redirect, after the user logs in?
– GustavoSevero
@Gustavosevero Edited with an illustrative example of how to achieve the redirect.
– Zuul
Got it @Zuul, I’ll try.
– GustavoSevero
I edited the question and put the code of how I should do, to see if you’re right @Zuul.
– GustavoSevero
@Gustavosevero You should not edit the question, the existing answers lose their meaning and are no longer useful to the topic. You should create a new question about the new problem at hand so you can get help on this new subject without harming this topic.
– Zuul
get me your email?
– GustavoSevero
Guys, to "locked" on how to get the url from the email, and pass to the $_SESSION. Help @Zuul
– GustavoSevero
@Gustavosevero You do as I have in the example of the answer. If it is not clear or not solve your new problem, it is best to put a new question to deal with it and receive help from the community. Here in the comments it is difficult to solve...
– Zuul