login from token


I have users sending messages to other users with links in the email.

If the users click on the links in the email they go to the message in the app, but invariably they arent logged in and have to do so before getting to the page they want to go to.

I want to build a login_from_token functionality that would add a token for the user who receives the email so that the link will go directly to the page, and in the process log them in.

My question: How safe is this? Are their issues with this approach in terms of privacy?

The email is supposed to be personal email accounts so in principle the link would be as safe as the email account?

I would appreciate your thoughts.


If you want navigation to a URL to actually log a specific person in, the tokens will have to be person-specific, won’t they? What do you imagine the mechanics would be for getting a sending user to generate one of those URLs? Are you trading recipient-convenience for sender-inconvenience?

Would setting this up allow potential-senders to impersonate anyone by generating and then navigating to one of these URLs?

As an alternative, consider setting a long-lived cookie when a user logs in, and check for its presence as part of your authentication routine (e.g., if cookie exists, assume they are legit & pass them on to the destination page). That should cut down on the number of logins.

I would simply store the request uri in the session,
redirect the user to the login page and after successful
login redirect him to the requested page.

I agree with Thorsten and suggest you look at the Restful
Authentication plugin to see how to implement this.

Thanks for the response.

I am using restful_authentication and have the login required process as Thorsten described.

What I wanted to do is allow a user to send a message to another user. In the mailer I want to call a method to append a token to that url that is specific to the user who will receive the email. When the user follows the link, i do a login_from_token and delete the token. Thus the token is a one time auto-login for a specific user with no extra effort for the user sending the message and allowing the user following the link to skip the login page.

I am going with the remember-me cookie method, but I am still curious if there is a problem with what I want to do. I’m assuming private email is a secure way of sending the receiving user a link that would allow them auto-login. I dont use remember me cookies - i grew up in a family where we shared a pc so I just never got in the habbit and login in everywhere just seems a PITA. My email is pasword protected so it should be enough proof that I am who I am. The fact that the token only works once would also minimize the risk that a user sends the link to someone else allowing them to access their account.

I dont want to waste anyone’s time. I am going with remember me, but if someone is interested from an academic perspective I would enjoy their input.

Thanks for the feedback.