Email Token Link

Hi, is there any security risk or programatic risk using email token links (if thats what they are called) to update various data on your website without requiring the user to login.

For example when a user signs up to a site, you email them a token link to activate their validate / activate their email address / account, such as:

www.domain.com/activate?ad2asdd3e12w12312w12asg31w123cas31w212312edqa35ee

I think they are a great way to validate or update something on the website without requiring the user to log in. I always makes sure that the link is validated in and can only do one thing etc... but is there a risk in using them at all?
oo7mlAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ray PaseurCommented:
It's a common design pattern and the risk is not too great, but if you're handling money or medical records you might want to look for another idea.  This article describes the way it's done.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_3939-Registration-and-Email-Confirmation-in-PHP.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
oo7mlAuthor Commented:
Thanks Ray... Ok, i guess the question i am asking is:

Is it ok to use the email token link to allow a user to update / activate something INSTEAD of asking them to sign in and click a button (as long as the thing they are updating is something small and not a payment or medical record :-)
0
Giovanni HewardCommented:
I'd say the short answer is "Yes, it's OK" if the accessible content isn't personal identifying information or some other confidential data.

You may want to incorporate additional authentication factors, such as if the IP address matches previous (successful) login then permit auto-authentication otherwise prompt for credentials, etc.  Could combine this with last user-agent, etc.

The risks include, but are not limited to, an ISP or e-mail hosting provider employee gaining access to the email (or packets), end-user workstation is accessible to 3rd parties (not locked, remote access trojan, etc.), your auth token is predictable, etc.  

If you match the IP address as described above then this should mitigate the majority of the outlined risks (all except 3rd parties/trojans having access to end-user machine.)

So the answer to you question truly is "it depends."  Is it an acceptable risk to have potential 3rd parties (who have access to the users machine) make changes to, or view, the data you have in mind?  Think about a family member reading the email and clicking the link, etc.  In one scenario they'd need to also know the auth credentials, in the other they'd be granted  access.
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Dave BaldwinFixer of ProblemsCommented:
When you use a link like that to 'validate' a user's email address, the token is Invalidated when it is used the first time so it can not be used again.  Some sites allow 3 tries or 24 hours instead of deleting it immediately.
0
Ray PaseurCommented:
When someone visits the link in the email, all it does is says, "Thanks, you're confirmed."  It does not expose information on the server, or only exposes minimal information on the server.  Certainly it would not put a cookie on the browser without a password check.  You would still require a password check for any "secret stuff."

The rule about testing passwords is the same as the way it works at the ATM.  For any transaction that makes an important and non-idempotent change to the data model, you confirm the password.
0
oo7mlAuthor Commented:
Ok cool, thanks guys... the token is deleted from the database once the link is clicked so the same action cannot be preformed twice... also, all i am using it to do is to update a status, which also relies on the data to have a certain status to begin with so if the token is clicked and the data is not already in an expected status... the main status will not be updated... if you get me, thanks...
0
Ray PaseurCommented:
the token is deleted from the database once the link is clicked so the same action cannot be preformed twice
Whoa?  The client action is a GET-method request and under the laws of HTTP the request must be idempotent.  This is how it should work.

1. Client registers
2. Server sends email link
3. Client clicks email link
4. Server sets "ack" bit in client record.
5. Client clicks email link again
6. Server sets "ack" bit in client record again.
5. Client clicks email link again
6. Server sets "ack" bit in client record again.
5. Client clicks email link again
6. Server sets "ack" bit in client record again.

Even after repeating 5,6 several times the server state is the same as after 3,4.  

The point of the client acknowledgement is to limit bogus sign-ups.  If the client does not receive the email, or discards the email, the client will never click the link and the server will not set the "ack" bit.  You can run a garbage collection script periodically to remove abandoned client records.

You can also help eliminate bogus sign-ups with a simple CAPTCHA test.  A good place for this is right next to the "submit" button in the registration form.

Regards, ~Ray
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.