Logging users in automatically via an URL

I am providing registered members of a website a weekly mailing which contains URLs to private pages on the website.

For usability purposes, I don't want the user to have to provide their credentials after they click on the URL.

I am using the ASP.NET Membership provider model.

Question

How开发者_运维知识库 can I implement this so that the user can be logged in by virtue of clicking a specialized URL link?

The way most sites deal with this is to have a "leave me logged in" checkbox on their main login page. When selected, it causes a long-duration cookie to be set in the user's browser. Then, when they click the link in your email, the site recognizes the cookie and authorizes access.

You might have to tweak the standard Membership provider a bit to do this, but it shouldn't be too bad.

You could send them a URL with a very long, randomly generated number (e.g. a GUID), which is also stored in your database. When they click the URL, your system can match the GUID to their user account and log them in.

To crack this, a hacker would need to try an enormous number of combinations, and you could quickly spot any brute-force attacks in your server logs and ban that IP address.

But you need to decide if you think it's worth the slight risk, in order to improve your user experience.

In a project I recently worked on, that was very similar to this, we opted for better user experience over security.

(BTW, there are ways you can make this safer. After matching the GUID, rather than logging the user in, you could just show them private page, but then require a username/password if they click away from it, to another private page. You can also have the GUID expire after a period of time, say 3 weeks. This limits the amount of working GUIDs floating around that could be stumbled upon by hackers.)