I have a web application built using Symfony2, in which some items are shared with other users. When an item is shared, the user receives a link to that item. I want that the user, receiving the link, when clicks on the email, shall automatically get authenticated to the site. So far, what I have done is:
- Generate a unique token with the share link and append it to the link
- When the link is clicked by the user with whom it was shared, the unique token is checked and the respective user is authenticated.
However, there are flaws with this method. If some other user copies and pastes the same link in the browser, or the original recipient forwards the mail to someone else, the other user gets authenticated as the original recipient of the link. What should be the approach to get past these flaws ? What I would actually want is:
- Links should only authenticate users, when clicked from within the e-mail and no direct access should be allowed.
- Users shall only be authenticated if link is clicked from the email to which it was initially sent.
I have read a few questions that were somewhat similar in requirement, but not exactly the same. Also, the response to them led to the conclusion that it is impossible. Is it really ?
Unfortunately, there’s not much more you can do in this situation.
You could check the referrer, but as user Cthulhu pointed out, such a check would be unreliable and prone to errors.
You can: