I have a system, with login and password, which sends notification, by email, to users, when a certain situation occurs. When the user clicks on the email notification link, he is redirected to an internal page of the system, HOWEVER, if the user is not logged in the system, he will be barred. The question is, how can I "automatically log in" this user at the time of redirection?
Never auto login based on links that are received by email.
There are an infinite number of scenarios that can cause the email to reach another person and/or the email to be read by a third party.
This poses a high security risk as you are giving access without credential validation! If the email is not in the hands of its real owner, they can access the supposedly protected area with nothing more than a click on a link… imagine the sea of problems that ensue!
I suggest that you rethink the strategy to ensure that the link works but the user always has to at least introduce their access password.
I suggest that the login is always performed through user input, where after successful validation you can direct the same to the hyperlink page in the email:
In the email comes the link:
When you reach the page without login:
// apanhar URL atual $urlAtual = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"; // guardar na sessão $_SESSION["minhaSessao"]["redirect"] = $urlAtual; // login e tal... // login correu bem, direcionar: header('Location: '.$_SESSION["minhaSessao"]["redirect"]);
The success of this operation and/or the methodology varies depending on how the login is performed and how the session is handled.