View
I imagine a login / registration system, where the user enters their email and receives an email with a link to log in. The user clicks on the link and registers automatically (confirming the email address in the process).
This would be a form of authentication without a password.
issue
The problem I see with this approach is that a link will send a GET request, but this GET request will change the state of the user's session (by activating it).
GET requests should never (in accordance with the HTTP standard) have side effects. This is something that browsers also assume, which means that they could get GET requests to optimize the performance / user experience.
Let's say you are using Gmail in the browser. Could it then happen that the browser gets the link in the email?
It would be a big security problem if just opening the email was enough to log in to the site.
What I have considered
Using JavaScript on the landing page to send a POST request
My instinct tells me that, although a link's HTML / CSS / JavaScript could be recovered, none of this code (especially the JavaScript) will be executed before the browser explicitly opens the link.
This should mean that if the user's session is activated in some way using JavaScript (by sending a POST request to the backend), it should be safe to use a GET request to get to this page (like a link in the email).
Am I correct in assuming this?
Is it a bad practice to do it this way?
Using an HTML form in the body of the email
Another option would be to place a form in the email, which would allow a POST request directly from the email.
However, it seems that several email clients will block forms shipments within emails. Email clients that allow the submission of forms tend to warn the user that the email is probably malicious. It seems that this is not really a good solution.
