DEV Community

Discussion on: Create (passwordless) Login Links for users in Laravel

Collapse
mobunti profile image
ItNuBom

Hi. Have you considered the security aspects of login links that go out in insecure emails ? Specifically that if your email account is hacked, someone can log in to whatever service is being provided without a password, if you pull it down over an insecure protocol someone might snoop on it, or, even the customer not realising that the link auto logs them in and they forward it to a customer and say "check out these people" and suddenly they can log in as you and maybe see your financial transactions or your personal profile, place an order under your name, etc etc

Im not a major security buff but certainly UK wise (and European) with GDPR and PECR, I can't think of anything worse than sending links out by email that log you in.

If the system has a requirement to have security on it in the first place, why circumvent it, especially given most people will tell their browser to remember their login details anyway so a direct link to the correct page which redirects to a login page, you press enter to log in with your details and go back to the correct page.

Also remember that nowadays anti virus systems tend to visit links in emails to check if the page that is being linked to is phishy etc so that means that google, microsoft or mcafee etc can also now log in to your account too ;-(

Im sure it does the job well, Im just highlighting issues that I've come across before that Im not sure can be circumvented, but well done for creating a package and making it available.