Good day!

Need help with this question:
There is a function of private messages on the site, after each message a notification comes to the user by email. From this message, you can click on the "read" link, which leads to a dialogue on the site. BUT the problem is that if the user has ended the session, then he will simply be thrown to 404 error.

The question is: how to make a SECURE link, so that if a user is logged out on the site, he will log in automatically.
I do not need a ready-made solution, I would like to know who did what to secure the system, maybe the link should be 1-time, after the transition it became inactive?

    3 answers 3

    Did like. The link is generated (in my case there were 50 Latin characters (upper and lower case) and numbers). Recorded in the database indicating who was sent (user id). After clicking on the link, the record from the database was deleted. Since the user's mailer is known, he complemented the referrer's check. Sending a letter to the user on user @ gmail.com, it would be strange to receive a transition with an empty referrer or from a mail address. In the future, I was going to connect the check of cookies and compare ip-addresses. Most users come from one or more permanent addresses, which would increase the identification level. But the project was closed, and everything went to the archive.

      For these purposes, one-time links are really made! You can store them in a separate table, associating with the user, for example, 'tokens'. When logging in this way, the token is reset to zero! And when sending a message is generated again. + set the lifetime.

      • IMHO: I do not advise checking the referrals ... many have email clients! and the transition is not from the web interface (This is to answer from terantul ..) - Hawk
      • Check as one of the options to confirm. - terantul

      Write a key to the database that will give access, or compose a function for generating this key, + answer above.