Making a user login via a URL

Say you have a website A and some user B who is registered to use the site. If you send this user email updates whenever the site is updated, is there a way to make the user login to the site. Say for example, the link that you send him in the email, he needs to be logged in to view it, 开发者_运维技巧so is there any way that we can automatically log this user in when he visits the link, rather than him having to enter his username and password again. Obviously, sending the username and password in the URL is not safe, so was looking for other ideas. Any help is much appreciated.

You can store a cookie on the users machine when they have logged in (if they tick a 'keep me logged in' or something).

That way, if you find the cookie when the user returns to your site, you'll know you can 'log them in'.

HOWEVER:

The cookie is per computer - which means that its not necessarily THE SAME PERSON who will arrive at your site from that machine.

You should probably only give enough privileges to greet the user by name, or whatever, but anything that accesses their private info or asks for payment etc should require them to re-enter their username and password.

Alternatively, just have the email direct the user to a page, which in turn redirects to login (but remembers in the session where they tried to go) and as soon as they login, take them to the correct destination page. If they have asked their browser to store username/password on your site, this will be a trivial 2 second thing.

Don't underestimate how much users can like to feel that you're looking after their security, as well as the user-friendliness of your site. The two things can be a trade off, and its important not to get the balance too far over to either end.

I don't know how safe this is, but how about some kind of hash?

website.com?lh=2sdsdk...

and you find your user with it like this:

SELECT * FROM users WHERE MD5 ( concat ( id,'salt',email) )='$_GET[lh]' 

You generate that hash with

$hash = md5($user->id.'salt'.$user->email);

But i have absolutely no idea how secure this idea is and it might take a lot of resources with big table of users, so any comments about this are more then welcome.