Login without password via link with authentication token

Question

To make the experience for our users more convenient we implemented a feature with allowed a user to automatically get logged in when he clicks on a link he received via email. In the past he had to click on the link and then had to enter his password. By providing a special security token in the link, we can now automatically login the user without the need for entering his password.

A few days after we went live with this feature, internal pages (which can only be accessed via password or via the special email link) appeared in the google search results. We are using Gmail as a Email provider for sending emails from our system.

The only explanation I have for this behaviour is, that google is crawling the links in the emails. Which is not very nice from them if those are "private" links.

Is there a safe way to still allow users to login without password via a special link they receive in their email, without google being able to crawl the internal pages?

Answer 1

So, the issue is that the link is a magic key that will work for anyone. Presumably it has a long secret in it (I use a nine digit number along with the username in mine -- figure that should do it). I had considered next person at the library, and stolen or 'borrowed' laptops, but not e-mail providers snooping. I hope you're wrong about that, but there should be a solution.

How about when you send then link with the magic key, you also set a cookie (or localStorage item), let's call it magic key number two. Then, if the google bot crawler thingie tries to use your link, it won't work because your server wants to see both magic keys together to unlock the kingdom. Only drawback is user clicks link on a different browser/device, but then you just explain and make xer go get another link in real time.