Creating auto-login e-mail links for a forum...

minorgod

I've got a secure online course built in php. On every page is a multi-threaded forum that lets users post comments about each course page. If someone replies to a post, the original thread author receives an e-mail with a link to return to the forum. The problem is, they need to be logged into the course before they can access any pages. So I'm wondering what the methodology is that will allow me to include some kind of key in the e-mail link that will log them into the course automatically. Can anyone explain in general terms how I might go about adding this functionality?

keith73

bad idea. whether you send a key or their password, you're opening up a pandora's box that could allow someone to hijack another persons user account.

You could just make them login, but have the login page know where they were trying to get to and take them there after they login.

if you use cookie verification for their sessions, and their cookie has not expired, then they'll just go right to the page.

keith

minorgod

I'm aware of the security concerns. I think you're probably right about the login...I should just pass the location I'm trying to get to as an arguement to my login page and then redirect after login.

With that said, how would I go about doing it the way every other forum I've ever visited does it? For instance, this forum. I don't need to log in every time I return, I have it remember me. Obviously there's not a session id being saved in a cookie because sessions expire more quickly than that. I'd assume that my username/password are also not being saved. So what the hell is the mechanism? I know it's a cookie of some sort, but what info would I keep in the cookie and then how would that tie back into a saved session once the session has expired on the server?

keith73

Originally posted by minorgod
I'm aware of the security concerns. I think you're probably right about the login...I should just pass the location I'm trying to get to as an arguement to my login page and then redirect after login.

With that said, how would I go about doing it the way every other forum I've ever visited does it? For instance, this forum. I don't need to log in every time I return, I have it remember me. Obviously there's not a session id being saved in a cookie because sessions expire more quickly than that. I'd assume that my username/password are also not being saved. So what the hell is the mechanism? I know it's a cookie of some sort, but what info would I keep in the cookie and then how would that tie back into a saved session once the session has expired on the server?

sessions can last as long as you set them to last.

but yes, phpbuilder does set cookies.
If you use mozilla you can use the cookie manager to see what cookies are set and when.

are you using php sessions?
if not, read up on setcookie at php.net.

keith