I think this could be done safely (well just about as safe as sending forgotten password reset links):
1. Set a short expiry date on the link (1 day).
2. On first click within 1 day, log user user in and expire link. Ask user if they want to stay logged in (via a subtle overlay at the top of the page perhaps + set "remember me" cookie)
3. On subsequent clicks within 1 day. If user has "remember me" cookie, log them, otherwise redirect to login screen.
4. Clicks to link after 1 day. Redirect to login page.
This should be just about as safe as a forgotten password email; they both have an expiry period + 1 time use, meaning anyone intercepting the email before the expiry and before the user clicks on it can impersonate the user.
The only counter-point that I'll make against my own point is that a forgotten password email is sent on demand, i.e. a user requests it, so they are probably more likely to click it immediately (hence expire it immediately).
I wouldn't do this for an e-commerce or otherwise sensitive app, but for something a bit more casual I think it would ok.
1. Set a short expiry date on the link (1 day). 2. On first click within 1 day, log user user in and expire link. Ask user if they want to stay logged in (via a subtle overlay at the top of the page perhaps + set "remember me" cookie) 3. On subsequent clicks within 1 day. If user has "remember me" cookie, log them, otherwise redirect to login screen. 4. Clicks to link after 1 day. Redirect to login page.
This should be just about as safe as a forgotten password email; they both have an expiry period + 1 time use, meaning anyone intercepting the email before the expiry and before the user clicks on it can impersonate the user.
The only counter-point that I'll make against my own point is that a forgotten password email is sent on demand, i.e. a user requests it, so they are probably more likely to click it immediately (hence expire it immediately).
I wouldn't do this for an e-commerce or otherwise sensitive app, but for something a bit more casual I think it would ok.