自动从电子邮件登录用户是个坏主意？ [英] Is it a bad idea to automatically log users in from an email?

问题描述

对于我们开发的许多网站，我们验证用户的电子邮件地址。通常工作流是这样的：

For many of the sites we develop, we verify the user's email address. Typically the workflow is such:

1. 网站的用户注册（激活电子邮件是通过链接发送激活的）


2. 用户验证电子邮件地址（点击上述链接）


3. 用户必须登录到网站才能使用（假设他们尚未登录）

客户经常抱怨这个过程很笨重，有点令人困惑，我同意。提出的解决方案是删除步骤3，并在步骤2之后自动登录用户。

Clients often complain about this process being clunky and somewhat confusing, and I agree. The proposed solution is to remove step 3 and automatically log the user in after step 2.

我不知道是否重要（因此是问题！），但我我一直警惕以这种方式自动登录用户。在实施建议的解决方案之前，我应该考虑什么额外的安全风险？

I'm not sure if it matters (hence the question!), but I've always been wary of automatically logging a user in like this. What extra security risks should I consider before implementing the suggested solution?

这也适用于密码重置的情况，用户可能会自动登录，然后进行更改他们的密码。

This also applies in situations like password resets, where the user might be logged in automatically and then made to change their password.

为了这个问题，我们假设验证电子邮件是一个艰巨的要求。我知道有些情况并不是必需的，但我们来谈谈那些情况。

For the sake of this question, let's assume that verifying the email is a hard requirement. I'm aware that there are situations where this isn't necessary, but let's talk about those where it is.

推荐答案

我'确保电子邮件中的链接的有效性有一个限制，并使其仅对一次点击有效。

I'd make sure there is a time limit on the validness of the link in the email and make it only valid for one click.

这篇关于自动从电子邮件登录用户是个坏主意？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！