-4

I'm trying to create a link in (PHP), when clicked user automatically login in the website passing the authentication. Example: like Facebook is sending the link to verified your account after clicking browser open the Facebook and the user is login

akaamil
  • 51
  • 10
  • That is a terrible idea. Are you sure that's what FB do, or is that just how it appears because you click the link on the machine you've already logged in on. – Jonnix Apr 04 '19 at 10:41
  • What **specific** problem are you having? – Quentin Apr 04 '19 at 10:41
  • @Jonnix yeah i am 100% sure that FB do that, you can check it in other device – akaamil Apr 04 '19 at 10:44
  • @Quentin actually i want to send the link to users via email, after clicking the link they automatically login in the system – akaamil Apr 04 '19 at 10:48
  • So what is your actual _question_ here then? _“I'm trying”_ isn’t one. – 04FS Apr 04 '19 at 10:49
  • @akaamil — That's a high-level description of a software project suitable for an elevator pitch to whoever has to sign off on having someone do it. It isn't a clear problem statement about a *specific* issue you've run into trying to implement it. It isn't even enough to give to a freelancer you've hired to do the entire thing (because it says nothing about the authentication system you want it to tie in to). – Quentin Apr 04 '19 at 10:49
  • 1
    Just tested FB with new account on PC. Opened verify link on mobile, asks to log in. Double checked with incognito window on PC, also requires login. – Jonnix Apr 04 '19 at 10:50

1 Answers1

0

This isnt a great idea due to security concerns, but here is a solution:

When sending and email generate som random string token token, save it in your DB along with user id.
In email send link, maybe something like : mypage.com/login?token=GENERATED_TOKEN
When receiving this POST request, search through database looking for that specific token. If match is found, go ahead and log in user which this token belongs to.
How to generate such token: best practice to generate random token for forgot password

note: this aproach is viable when generating links for things like password reset links to verify user that are single use (deleted / marked after one use) and are time-limited (for example links works only 6 hours after being send).
Please do not use this for regurarly logging in users

matri70boss
  • 349
  • 2
  • 13
  • To elaborate, it is a very big security loophole since you basically swapped the username and password for 1 string that is most often not 100% random. It can be used for password reset of course but you need to make it as long as possible and delete it as fast as possible from your database. – Joeri Apr 04 '19 at 11:05
  • 1
    @Joeri This is 100 % correct. But it is possible that OP just didn't word it properly (the facebook example sounds like he wanted to do password reset) – matri70boss Apr 04 '19 at 11:11