Best practices for automatic login URL's?
In addition to ensuring a token is single use, has a short expiration and that the token is sufficiently random and long:
- I'd recommend limiting the number of valid tokens in existence at any given time (preferably to 1). That way your exposure to compromised codes is limited to a fixed number.
- Having the code in the parameters of a GET request will expose the code in most HTTP logs (eg. browser history). This is mostly mitigated by making the codes single use, but ideally you'd only send them the login link without the code embedded and make them copy the code from the email to the login page manually.