Reputation: 309
Disallowing link from opening in Forward email
we have a use-case wherein a notification email is sent out in response to some postings on forum. This notification emails carry a AHREF link which basically allows to launch the post page from the email itself. Additionally, these links carry an authentication token so that the user don't have to sign in when opening the page. This works fine in the normal use case, but in the scenario when the original recipient forwards the email to some other account we are not sure how we identify that the link is opened from forwarded email address. Can somebody provide some insight ?
Upvotes: 0
Views: 192
Answers (2)
Reputation: 744
Security vs Simplicity
There are many complaints online for just about every email system available that links (& other items) are broken in forwarded emails. Thus it is possible have a link that will break for Some Mail Systems when forwarded.
Your goal then would be to create a link that breaks for most/all of the major mailing systems IF you want it to be possible to send a token that allows editing. This would limit the likelihood (but in no way eliminate) a token from being used by the wrong user.
However: There is no way to stop a person who received that broken link from reassembling it and making it work again. It would merely be a technical hiccup meant to obscure the link. Any hacker would have no issue reassembling it and using it.
Perhaps a solution would be to limit the capacity to editing that single post and not an actual login, per se. Then if used by the wrong user, damage would be minimal AND it would be the fault of the user who ignored the "do not forward" warning I'm sure you're putting in the email.
The only truly secure method would be to have an immediate login popup before you allow editing. Acceptably secure would be cookie on the site ("keep me logged in").
Upvotes: 0
Reputation: 150148
There is principally no way for you to detect that a link was clicked in an email that was forwarded vs. an email that you sent directly to someone.
Do not put an authentication bypass in the link if the need to secure your content outweighs the need for user friendliness.
You can weigh allowing the user, once they log in, to set a persistent authentication cookie in the browser they logged in from. That way, if they click a link in an email and that cookie is set, they can get directly into the website. StackOverflow.com works that way, which is convenient and the downside risk is not too great. Fortunately my bank does not work that way. The potential for loss is much greater with home banking.
Upvotes: 1
Related Questions
- Prevent front-end generated email sign-in links when generating and sending these via backend
- Prevent forwarding or replying to email
- Disabling links on Email Forward
- Stop link-forward when clicking on button with form-action
- mailto in href: should I add rel noopener,noreferrer?
- Forward link in HTML email
- Stop Auto-hyperlink in Outlook, Gmail etc
- How to avoid launching browser when a link within email message is clicked
- create a link in an email that bypasses login but still facilitates authentication
- How to restrict user action from email link without login?