1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 6:34 pm Apr 27, 2026

Forum Moderators: coopster

Message Too Old, No Replies

One click login from email link

Security suggestions

         

mack

4:44 pm on Jan 19, 2023 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



This is more theory than actual code, but the system I have written is PHP based. It's a members system I wrote around 2012 and updated it through the years. It does the basics register, log in, verify email, password recovery edit details etc etc. It relies on sessions.

Every now and then I will send emails to opt-in registered users and the call to action requires them to log in to the website. In an ideal world, they simply click the link, click login and proceed from there. But for a small website like mine the chances the user will remember the site, let alone their login details are very slim. What I have done is create a system to offer one-click login. The email will contain a link with the following ?id=XXXX&vc=xxxxxxxx&goto=xx

ID is the user ID, vc is an 8 digit verification code (random) that was set when the user signed up the goto value is referring to where the user will be sent on the website.

What I currently do is

select * from users where id = $id

I then assign the vc value from the DB to a string and do a comparison between the stored string and the one being sent from the user. If they match the user can be logged in and it uses some other data to set the session. When the user logs in using the one-click link I generate a new vc code and update the DB so the link cannot be used again. The system can however generate a new link from the current DB values.

I also start a session for OCL (one click login)

$_SESSION['ocl'] = 1;

If this session is set header will present a text warning recommending the user sets a password to retain access to their account. It is at this point I feel I need to be very careful.

On the page where the user can set a new password, I first confirm they are logged in. The next thing I do is check if the user has logged in under a non-one-click (regular) login. If they are I redirect them to the standard change password page. This requires the user to provide their current pass, a new pass and confirm their new pass.

I then ensure the user's email has been verified (by clicking a link when they signed up to ensure they have access to the email)

So I now know the link to log the user in was sent to the correct email for the user and it was verified. They clicked it and the verification code did match. They then click through to reset their password.

What other checks should I do? just feel there is too little being done to simply update the DB. Or perhaps I am looking too deep into this.

What are your thoughts? are there any further steps you would add?

Mack.

Dimitri

11:19 am on Feb 18, 2023 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



I have to confess I didn't read everything, and just scanned it.

I would change the random value (token) each time an email is sent, with this one click link. Also, I would set some kind of expiration delay for this token to remain active. I would also check the IP address of the user. If the IP is from a different country or different ISP than what it used to be , then ask for password. Some IP location db are featuring coordinates , you can also check if the "new" IP is within an acceptable perimeter compared to previous sign ins. (Like if a member usually sign in from NYC, if one day he sign ins from LA, it might be suspect). Also, if the IP is from a VPN, or DataCenter, this is suspect (but possible).

These are just random thoughts.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 6:34 pm Apr 27, 2026