[vmfunction]

Hopefully using POST not GET. The GET links get logged in the HTTP server most of time. Just another great way to store your 'security credential' in plain text. Logs gets zipped and archive. Good luck with any security measure.

[andersa]

I mean of course the idea was to put it in a form that is sent using POST, but even then, it's a single-use reset code so once it shows in the log it's worthless.

[fullspectrumdev]

This makes a large assumption about application logic that is often incorrect.

t. security auditor/researcher.

[rapind]

It certainly does. Security usually comes at the cost of convenience and can incur confusion.

In this example, where best practice may be to use one time tokens, you will end up with users who click on the secure link again (from their email) in the future to access the secure site and they’ll be frustrated when they have to go through the secure link generation dance again.

Of course you can mitigate this with sessions / cookies, but that is also a security compromise and not device portable.

It’s easy to say that these are minor uxp concerns, but enforcing a high level of security may have a significant user cost depending on your demographic. I have a demographic that skews older and non technical and they are pretty loud when they complain about this stuff… meanwhile they are also more likely to reuse passwords and forward emails with secure links in them!

[conductr]

Some people will always find something to complain about. I feel like it’s completely reasonable to give a “sorry this link was only valid for 5 minutes and is now expired, request a new code here” message. State it in the email that originally contained the link and state it again on the page when they click it afterwards. This is incredibly common practice and very unlikely to be the first time someone has seen this workflow. If they want to complain further, direct them to a password manager and remind them there’s probably one built into their browser already

[rapind]

> State it in the email that originally contained the link and state it again on the page when they click it afterwards.

No one reads this stuff. I’m not saying this to be argumentative. I have a large user base and I know from experience.

[conductr]

Oh I definitely agree. But the point is that you’ve informed them of the process before expiring their link. These types of complainers are just looking for an easy button and don’t care about your security policies so I say to do this just so you can point at it and say it’s your process if someone really gets their panties in a wad over it.

It’s also why you say it on the site when the link is found to be expired. You basically remind them of the email even though they didn’t read it. Just consistent messaging is all. It might reduce the number of folks that decide to yell at you over it but will never fully eliminate them.

IMO the appropriate easy button is them using a password manager which is what I’d recommend. Also, just ignore these complaints if they don’t take your explanation and really push hard it’s a customer not worth pleasing at some point.