I was considering building an auto-login feature for an extension I'm working on, where a customer who clicks a link in an email will be automatically logged in to their account.

This would be really helpful especially when sending to older customers because there's a high change they would need to hit the forgot password in order to get logged in and make a purchase.

But on the other hand, it would open up some vulnerabilities that I'm not too excited about. If a customer forwards the email to their friend and their friend clicks the links, they'll also be logged in as their friend.

Granted you could try to educate your customers to not forward those emails, but that might be an uphill battle. The idea that forwarding a marketing email to a friend would allow them to login to your account unauthorized is not something people will get used to quickly.


UPDATE: Just noticed that Quora does an autologin from it's comment notification emails.

2 Answers 2

  1. Store the IP address and/or user agent used when the customer last placed an order or visited and make the link only work with that IP address or user agent.
  2. Make the link only work one time.
  3. Require some really easy intermediate authentication like "To confirm you are Jane Doe, please enter your zip code:"
  • I was thinking a little more about this. I was thinking that if anyone would have an incentive to build this kind of feature, it would probably be Facebook or Twitter. But they don't do this, do they? Commented May 31, 2013 at 14:31
  • 4. chances would be high that the customer did not change their browser - save a cookie value that you authenticate against in addition to the link. Commented Jul 1, 2013 at 3:18
  • 1
    If the user has a phone and/or uses the site from a library, there is a good chance that the user agent will change. Same goes for the IP. People do, in fact, do stuff on their desktop, then follow up with it on their mobile device. Add to this the delay of marketing emails… and you have an even higher likely hood that multiple devices or IPs are at play.
    – davidalger
    Commented Jul 2, 2013 at 13:45

I think I would not recommend such a feature...

But anyway, if you want to build this feature, considere these points:

  • use a token-based login, like http://shop.tld/?autologintoken=AABBCCDD

  • if this is just for the first the time customer logs in limit the authentification token to one login

  • make the token unique per customer, and also (very important) not based on the username/password/address/name/email/whatever. Mage_Core_Helper_Data::getRandomString may help you. A length of 32 should be the minimum I'd say. Don't use something like md5(time())!

  • change the token every time the customer changes his password

  • restrict account access for customers which logged in using the token, e.g. let them enter their password if they want to change to mail-address or access CC numbers. This could help a little bit to improve the security

  • do not(!!!) rely on browser, cookies, IP or something else

  • 1
    Wish I could give more than a simple +1 on this one. :)
    – davidalger
    Commented Jul 2, 2013 at 13:46
  • 1
    On versions of Magento prior to 1.9 getRandomString is extremely weak due to mt_srand being seeded with only 1 million possible values (no matter what length string, still only 1 million possible outcomes).
    – ColinM
    Commented Sep 30, 2014 at 14:22

Not the answer you're looking for? Browse other questions tagged or ask your own question.