Hacker News new | past | comments | ask | show | jobs | submit login

Not to also forget that if you have automagic login links in the email, you can no longer forward that email to anyone without compromising your account.

Try educating end-users on that one!




Simple solution: put a persistent cookie on the computer of everyone who's ever logged in. Automatically log the user in if this cookie is present and the URL is correct. Obviously, the cookie should be unforgeable - e.g. HMAC-SHA1(service_secret_key, username).


You could also pixel-track the email, and only allow in the first IP address.

However, that falls over with people who have Display Images turned off AND don't click through to the website before they forward it. But if you HAD to do this feature, it would help a little.


The only situation you're targeting, then, is when a user intentionally logged out (in non-privacy mode) in the past (because otherwise they wouldn't have the half-cookie). Is it really desirable to log in them automatically in such cases? But then if they're clicking on the link in the first place, one might conclude that they desire is to log-in, so it's just added convenience.

However is it legal under the new EU cookie-act? I mean, after all, this is tracking outside of our website.


Lots of people "log out" by letting their session expire; this would merely get them back in the game faster.

I'd expect this to be legal - set the cookie on login.mydomain.com and never use that domain name for anything else - but IANAL.


> Lots of people "log out" by letting their session expire; this would merely get them back in the game faster.

I'd expect, that someone that is going to employ auto-login URLs, is not going to be shy in using ‘forever’ login cookies anyway.


This is the best approach to the problem, though it doesn't satisfy the implied(?) requirement that new devices should auto-authenticate seamlessly. You have to keep track of all of the cookies, of course, but there is comparatively little risk in letting previously authenticated machines (with an expired session) perform automatic login via a token in an email. The OP should point this out in his article.


Yep, this alone is a borderline fatal flaw. The practice of sharing links, whether done intentionally or unintentionally through email forwarding, is pervasive and people won't stop to think about whether the url contains an embedded login token. This practice opens up a new class of vulnerabilities in the human error realm.

Now there could of course be ways around this like time/ip/geo pattern tracking, but that's no trivial enterprise.


And not without their own set of flaws either.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: