1. Home
  2. Forums Index
  3. Server Side / Website Technology Issues 7:20 pm Apr 25, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Issue with prefetching in SMS and other messaging apps.

One click login problems when only one click is allowed

         

mack

8:11 pm on Jan 27, 2023 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



I recently wrote an addon for my existing login system that allows users to login by simply clicking a link in an email. In the interests of security, I was keen that this link can only be used once. When it is sent to an email address it works exactly as intended. It logs the user in and they get "nag text" in the page header advising them they are using a one-click login and recommending they change their password.

During testing I had some people try it out and just sent them the link via SMS or Whatsapp. In both these examples, the login failed and they were presented with an error message I have written for use if the link had already been used.

It didn't just fail some of the time, it failed 100% of the time (consistency is great)

When a user clicks the link to login they send an 8-digit number (from the DB) and their username within the URL. The login script uses "get" to extract the values from the link. It then makes sure the right number is assigned to the ID before logging the user in. It then creates a new random number to prevent the link from working again.

The problem is prefetching. If the link is prefetched it is in effect a click and the number is updated. This means when the user clicks the link it is effectively the 2nd click and it will not work.

I am concerned that some email software may also do some form of prefetching of the link, triggering the update, thus rendering the link useless.

What would you suggest as a way of preventing the prefetch issue? In the real world, it will only ever be sent via email...

Mack.

phranque

11:02 pm on Jan 27, 2023 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



i would add something that looks for some sort of user interaction on the login page or acceptance of an appropriate cookie before the new random number is set.

[edited by: phranque at 12:06 am (utc) on Jan 28, 2023]

mack

11:51 pm on Jan 27, 2023 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



That's a good suggestion. I will see how feasible that is with the existing code. I'm unsure if I am reading too much into the possible issue. Are there email clients or webmail clients that do prefetching? I get why some apps do it, but it's certainly an annoyance.

Mack.

phranque

12:10 am on Jan 28, 2023 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



a lot of page prefetches are to obtain the icon image, so i would expect prefetching to occur on any clients that depend on an iconic interface,

mack

4:15 pm on Jan 29, 2023 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



I did a little bit of "out of the box" thinking about this. What I ended up doing was creating a PHP if loop() at the start of the script just after I extract the "GET" data from the URL.

if ($user != true)
{
Show a form containing a button with the get values posted as hidden fields it uses POST to submit the form to itself
one such hidden field is $user = true. The button simply says "continue"
include footer
die();
}

When the user clicks the button the form will submit like before bypassing the above if clause. Simply had to change a few lines of code to extract the values from POST rather than GET.

I suspect this could be done using a meta refresh, but that's just taking a chance :-)

Mack.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Website Technology Issues 7:20 pm Apr 25, 2026