I am working on a system where the administrator can configure the following behaviour for email addresses:
- Allow users to attach multiple email addresses to their account (just like Facebook and Linkedin).
- Only allow 1 email to be attached to each account.
As email addresses are used to log into the system, ensuring that users have the entered the correct email address is very important. We do this by sending them an email with a link to confirm the email address if they add a new email address or change their email address.. This has to be done before that email address can be interacted with/used on the site.
The question is: Once the user clicks the link in the email, should we automatically log them in, or should we force them to enter their email address and password to login? This is assuming that the user is not logged into the site yet.
Are there any preceived and actual security implications of automatic logging in the user on confirmation of the address?
No comments:
Post a Comment