Should email verification be followed by password-based login? Why?

You certainly should authenticate the user who clicks the link. Otherwise, as you say, someone could inadvertently confirm an email address. However, it is usually possible to authenticate the user transparently, so they don't need to enter their password.

The way we achieve this is using a session cookie. During the signup process, the new user is issued a session cookie. When they click the confirmation link in the email, they will usually use the same browser, so the session cookie will be attached. The web site can verify the user's identity using that cookie.


I think an alternative solution might be to ask new users to first specify just an email address, then confirm that with a hashed token, and then ask them to set a password. But I don't see very many online services that do it this way, either.

This is the most secure way as it guards against user enumeration attacks. If the email address is already registered, the user gets a password reset link, if not then they get a link to continue the signup process. Anyone without access to that email address cannot determine whether an account under that email address exists or not.

The signup process then asks the user to set a password and this protects against someone setting up and using an account associated to someone else's email address that they don't have access to.

It is not a widely used as it takes longer to implement, requires awareness of the user enumeration problem in the first place, and in some systems user enumeration is an acceptable risk as accounts on the service are deemed to be generally public anyway (e.g. webmail, as you can't send someone a message without knowing their effective user ID, and you can often verify whether an account exists by sending an email to it).

Another way to do this is the way you are describing. i.e. ask the user to enter their password when they follow the email confirmation link. There is a shortcut available here though - if the user confirms the link from the same session as was used to sign up, you could use this in lieu of a password re-entry. However, be very careful in this case that this does not lead to a session fixation attack. You should invalidate the session token and generate a new one when the user goes to the first step of your signup process. This will ensure that if the session was fixated, the attacker cannot then ride the logged in session. If you want the extra security of them entering their password again, then you must refresh the session token at the first step and once the confirmation link is followed.