[credo]

You mention that the nonces expire after a period of time.

If you don't plan on cutting the feature for ever, perhaps you could consider an alternative approach of limiting the validity of the URLs to the first visit and also removing the email-id (and other PII data) of the user from the URL.

[acqq]

The feature is absolutely too dangerous to ever have existed!

It turns out that Facebook implemented the plain links that are more powerful than the password reset procedures, considering the easiness in taking over the account of another user.

Having the actual user id in the link is just a small topping on that cake, not even worth to discuss as long as the "no login just click the link" possibility remains to exist.

[gcorne]

When did the term "nonce" start being used in web application development to refer to a token that expires after a period of time instead of being a true one-time use number/token?

http://en.wikipedia.org/wiki/Cryptographic_nonce

[durin42]

They could both be one-time-use nonces and additionally have an expiration date. That was how I read the statement, but maybe that was generous.

[Evbn]

Nonces are one time use in webapps, unless bad bug.

[gcorne]

WordPress uses them in a similar way to how it sounds like Facebook is using them. I wonder how many others are misusing the term.