Login Tokens In Email Links
Your system is probably sending some emails. Sometimes these emails contain links to the public part of the site, sometimes they have links to the authentication-protected part. Either way, if the email is sent to registered users (as opposed to just subscribed emails) you should not make the user type in username and password. Even if it’s the public part of the site, the user may then want to do something that requires authentication with the content you display – e.g. add it to favourites. It’s a bit tricky with public content though, and you might not want to have it there, as users tend to forward “digest” or “best this week” emails, and then the recipients will be able to impersonate them, without even knowing.
Anyway, when users click on a link in an email sent by your system, they could be logged in automatically. That’s the product requirement I think many systems should have, and it sounds pretty reasonable. But I’ve rarely seen in. Let’s assume you like it and you want to implement it in your system. How to do that, as there are certainly some security implications?
- For each email sent, generate a token. The token should be the HMAC of (the user’s email (or username, or id) concatenated with the token generation timestamp)
- Use an application-wide, configurable per-environment key for the HMAC. Also use a good hash algorithm, like SHA-256 (and not MD5)
- Append the token to each link in the email. You are probably using an email template, so just have
?emailLoginToken=${token}
for each link. Also pass the email and the timestamp as parameters.
- Have a filter/interceptor that looks for that specific parameter name, and if it is found, invoke the authentication-by-token logic (described below)
- Redo the HMAC with the parameters passed (email and timestamp) and compare it to the token parameter
- Check if the token is still valid – you can have an expiration period and don’t allow tokens to be used after more than 2 weeks after generating them.
- If everything is OK (the token passed and the result of redoing the HMAC are the same), login the user (send a session cookie). But add a flag (in the session) that the login was via a token. Then do not allow changing password, email or any “sensitive” action without password confirmation. Use the same conditions as in your “remember me” login, if you have implemented that.
- Have all such links go through https
There’s another, slightly different scenario. Instead of using hmac and sending all the parameters, just generate the token as the hash of the email and timestamp and store it (and the timestamp) in the database, with foreign key to the users table. In this case, the authenticity confirmation comes from the fact, that it’s found in your database, rather than through verifying an HMAC. Then, when the token is presented as a parameter, simply look it up in the database. You should still pass the user’s email as parameter and compare the passed email parameter to the email of the user corresponding to the persisted token (to avoid guesses). On successful login you can delete the token. You may decide not to do this, and have a scheduled job that cleans up tokens older than X weeks. If you delete it immediately, it will be more secure. If you leave it, it will make it possible for the user to open the same mail again, and the login will still work. This approach lets you invalidate tokens on demand. For example if users decides to change their password or email, you can invalidate all their tokens.
It seems like a tough process, but it’s fairly easy to implement. The tough part is taking all the points into account and not compromising security.
Note that security is an important aspect here. As pointed out on reddit, email may be insecure – when the user downloads emails via unsecured POP3 (with Outlook, Thunderbird, etc), an attacker may obtain the links and impersonate the user. That’s why you should restrict the actions the user can perform when logged in via a token. This may not matter that much, since most users either use webmail or secured POP3, or internal email server. But you should not do that for banking software, for example. Having tokens in links is probably less problematic than password reset links, though, which can also be intercepted the same way.
One extra step you can take when addressing security is restrict the token authentication to the most often used IP addresses by the user.
Overall, the above approach has more pros than security risks, so I believe any mainstream site should implement it (having in mind all the security implications).
Your system is probably sending some emails. Sometimes these emails contain links to the public part of the site, sometimes they have links to the authentication-protected part. Either way, if the email is sent to registered users (as opposed to just subscribed emails) you should not make the user type in username and password. Even if it’s the public part of the site, the user may then want to do something that requires authentication with the content you display – e.g. add it to favourites. It’s a bit tricky with public content though, and you might not want to have it there, as users tend to forward “digest” or “best this week” emails, and then the recipients will be able to impersonate them, without even knowing.
Anyway, when users click on a link in an email sent by your system, they could be logged in automatically. That’s the product requirement I think many systems should have, and it sounds pretty reasonable. But I’ve rarely seen in. Let’s assume you like it and you want to implement it in your system. How to do that, as there are certainly some security implications?
- For each email sent, generate a token. The token should be the HMAC of (the user’s email (or username, or id) concatenated with the token generation timestamp)
- Use an application-wide, configurable per-environment key for the HMAC. Also use a good hash algorithm, like SHA-256 (and not MD5)
- Append the token to each link in the email. You are probably using an email template, so just have
?emailLoginToken=${token}
for each link. Also pass the email and the timestamp as parameters. - Have a filter/interceptor that looks for that specific parameter name, and if it is found, invoke the authentication-by-token logic (described below)
- Redo the HMAC with the parameters passed (email and timestamp) and compare it to the token parameter
- Check if the token is still valid – you can have an expiration period and don’t allow tokens to be used after more than 2 weeks after generating them.
- If everything is OK (the token passed and the result of redoing the HMAC are the same), login the user (send a session cookie). But add a flag (in the session) that the login was via a token. Then do not allow changing password, email or any “sensitive” action without password confirmation. Use the same conditions as in your “remember me” login, if you have implemented that.
- Have all such links go through https
There’s another, slightly different scenario. Instead of using hmac and sending all the parameters, just generate the token as the hash of the email and timestamp and store it (and the timestamp) in the database, with foreign key to the users table. In this case, the authenticity confirmation comes from the fact, that it’s found in your database, rather than through verifying an HMAC. Then, when the token is presented as a parameter, simply look it up in the database. You should still pass the user’s email as parameter and compare the passed email parameter to the email of the user corresponding to the persisted token (to avoid guesses). On successful login you can delete the token. You may decide not to do this, and have a scheduled job that cleans up tokens older than X weeks. If you delete it immediately, it will be more secure. If you leave it, it will make it possible for the user to open the same mail again, and the login will still work. This approach lets you invalidate tokens on demand. For example if users decides to change their password or email, you can invalidate all their tokens.
It seems like a tough process, but it’s fairly easy to implement. The tough part is taking all the points into account and not compromising security.
Note that security is an important aspect here. As pointed out on reddit, email may be insecure – when the user downloads emails via unsecured POP3 (with Outlook, Thunderbird, etc), an attacker may obtain the links and impersonate the user. That’s why you should restrict the actions the user can perform when logged in via a token. This may not matter that much, since most users either use webmail or secured POP3, or internal email server. But you should not do that for banking software, for example. Having tokens in links is probably less problematic than password reset links, though, which can also be intercepted the same way.
One extra step you can take when addressing security is restrict the token authentication to the most often used IP addresses by the user.
Overall, the above approach has more pros than security risks, so I believe any mainstream site should implement it (having in mind all the security implications).
Hi Bozho’s
Excellent tips! 🙂 I like the idea of linking the email to a token for stop token guessing.
Hey there, I’m a new blogger coming from Campo, United States who found you on http://techblog.bozho.net/?p=1134. Would you have any points for those exploring blogging? I’m hope to fire up
my own site soon but I’m a little lost on everything. Do you think I should get started with a free site like Micro Blogs or invest some cash into a pay site? There are so many choices out there that I’m quite overloaded.
.. What would you say?
Also visit my blog: pit 36 dla kogo
Do you have аny vidеο οf
that? I’d love to find out more details.
Also visit my page – accutane [Dewayne]
With regards to statement 7:
If everything is OK (the token passed and the result of redoing the HMAC are the same), login the user (send a session cookie).
How would you login/authenticate a user without the password?
Example, if you’re using JDBCAuthRealm, the password would most likely be stored in hashed form, and not plain text. So even if you have the correct user, you wouldn’t be able to login using the hashed password.
HttpServletRequest.login(username,password) requires a plain text password.
Any ideas?
You won’t go through request.login. You’ll just load the user from the db based on the token and store it in the session
Hmm, this would be a problem for me, because some of my EJB’s have role restrictions.
@RolesAllowed(“MEMBER”)
Some of my friends recommended generating an encrypted token using the Bouncy Castle encryption library.
With that approach, I suppose one could store the username and password in the encrypted token. Risky tho…
Bozho,
You state:
>You should still pass the user’s email as parameter and compare the passed email parameter to the email of the user corresponding to the persisted token (to avoid guesses).
Can you elaborate on this? Are you saying do this to avoid the user from guessing a valid hash? It seems that making the hash longer would be a more efficient solution to this issue.
Thanks, there’s some great info here.
Well, yes, a longer hash will also do.
Hello, great advice and an fascinating article post, it’s going to
be interesting if this is still the situation in a few months
time
It’s in fact very difficult in this busy life to listen news on TV,
thus I simply use the web for that purpose, and take the hottest information.
Oh my goodness! Amazing article dude! Thanks, However I am experiencing problems with your RSS. I don’t understand why I am unable to join it. Is there anybody having similar RSS issues? Anyone who knows the solution can you kindly respond? Thanx!!
Interested concept of appending to the creation of tokens from users. I apreciate the article.