Best practices for automatic login URL's?

In addition to ensuring a token is single use, has a short expiration and that the token is sufficiently random and long:

  • I'd recommend limiting the number of valid tokens in existence at any given time (preferably to 1). That way your exposure to compromised codes is limited to a fixed number.
  • Having the code in the parameters of a GET request will expose the code in most HTTP logs (eg. browser history). This is mostly mitigated by making the codes single use, but ideally you'd only send them the login link without the code embedded and make them copy the code from the email to the login page manually.

Tags:

Authentication

Token

Appsec

Related

What leaked mass surveillance capabilities have not been explained by vulnerabilities we have learned about since 2014? Will quantum computers render AES obsolete? Use multiple computers for faster brute force The history of thumbnails (or just a previous thumbnail) is embedded in an image file? Why is weakness of SHA-1 considered a threat to TLS security Is it possible to detect security breaches as a user before they're announced? How does an attack on a digital signature work? How does a company like CloudFlare block bot crawling and email harvesters? How can I prove that my software is secure for those who are interested to install it? If I protected myself from POODLE am I also protected against DROWN Is there any concern regarding a database primary key exposure? Website security - should I hire a developer?

Recent Posts