|
|
|
|
|
|
by tialaramex
2059 days ago
|
|
|
For email verification it's less scary if that was really all you wanted. If you believe you're verifying that the email went to your user, this isn't enough. Lots of systems parse URLs out of emails and follow them, you probably want to look for a a pre-existing session cookie, or insist the user log in from the verification page and confirm this is what they wanted. Otherwise you've merely got two unrelated facts: 1. Some user of your system (maybe happy_pancake) says bob@example.com is their email address 2. Mail to bob@example.com is received by a machine or person which reads web pages. It would be foolish to conclude from these facts that happy_pancake is actually bob@example.com or that bob@example.com wants to use your service. |
|
|