Ticket (Solved)

Automatically log a user in via emailed link - possible?

Hi all, I note Orchard can validate a recently registered user account via email/token upon creation, but is there a way to automatically log that user in via the validation link they receive? Or any method to log them in via an emailed link? Thanks a lot in advance.

Re: Automatically log a user in via emailed link - possible?

Well I couldnt seem to find such a feature so I just added my own Action and stole some code from Orchard:

    public ActionResult AutoLogOn(string username, string pw) {
        string returnUrl = "~/";
        bool rememberMe = false;

        var user = _membershipService.ValidateUser(username, pw);
        if (user == null)
        {
            _userEventHandler.LogInFailed(username, pw);
            //TODO: show friendly login errorpage
        }

        _authenticationService.SignIn(user, rememberMe);
        _userEventHandler.LoggedIn(user);

        return this.RedirectLocal(returnUrl);
    }

Thanks

Friday, July 8, 2016 1:59:04 AM bypug
  • pug
  • Lv. 04 Rookie
  • Total EXP: 144

Re: Automatically log a user in via emailed link - possible?

Careful with this: logging in using a GET request is quite dangerous. Using nonces to perform a single action such as validating a comment is one thing, but full authentication is another altogether, as it's effectively giving a permanent road to elevation of privilege. Your code doesn't even limit the validity in time of the action.

What's about 1000x worse though is that you're not even using a single use token, but are actually putting the unencrypted password of the user in an email. This is pure 100% distilled madness.

Just don't do that. It's pretty much guaranteed that you'll get hacked.

Saturday, July 9, 2016 9:23:01 PM bybleroy
  • bleroy
  • Lv. 08 Rookie
  • Total EXP: 527

Re: Automatically log a user in via emailed link - possible?

Thanks bleroy,

1. code doesn't even limit the validity in time of the action.
2. What's about 1000x worse though is that you're not even using a single use token.

Ok, I truly am naive/new when it comes to such concepts - could you elaborate further on the above points? I'm assuming there is way to create a (token?) and then compare that via another GET request attribute 'token' and compare that to the user record in the DB and see if they match, or the likes? BTW, i know it doesnt make a difference, but a user is only elevated on the fronted to see some further information; there are no details kept about users except for a 'first name'. Thanks for your feedback

Monday, July 11, 2016 4:26:32 AM bypug
  • pug
  • Lv. 04 Rookie
  • Total EXP: 144

Re: Automatically log a user in via emailed link - possible?

The comment module has code that uses nonces to create single-use links that can only be used against a specific action for a limited time. You should definitely never send a password in an email, under any form. I'm even surprised you even can have access to the password, as it should only be available as a hash.

Thursday, July 14, 2016 12:46:10 PM bybleroy
  • bleroy
  • Lv. 08 Rookie
  • Total EXP: 527

Re: Automatically log a user in via emailed link - possible?

Many thanks bleroy, much to consider/implement :/

Friday, July 15, 2016 4:34:27 AM bypug
  • pug
  • Lv. 04 Rookie
  • Total EXP: 144

Post a reply

You need to be signed in to post a reply.

Sign In