I imagine a login / registration system, where the user enters their email and receives an email with a link to log in. The user clicks on the link and registers automatically (confirming the email address in the process).
This would be a form of authentication without a password.
The problem I see with this approach is that a link will send a GET request, but this GET request will change the state of the user's session (by activating it).
GET requests should never (in accordance with the HTTP standard) have side effects. This is something that browsers also assume, which means that they could get GET requests to optimize the performance / user experience.
Let's say you are using Gmail in the browser. Could it then happen that the browser gets the link in the email?
It would be a big security problem if just opening the email was enough to log in to the site.
What I have considered
Am I correct in assuming this?
Is it a bad practice to do it this way?
Using an HTML form in the body of the email
Another option would be to place a form in the email, which would allow a POST request directly from the email.
However, it seems that several email clients will block forms shipments within emails. Email clients that allow the submission of forms tend to warn the user that the email is probably malicious. It seems that this is not really a good solution.