Automatic login after email address verification from email message

Question

When users verify their email address successfully, could I just log them in automatically?

I consider the following reasons to do so:

• The link is a random hash
• Users will already be annoyed by having to validate
• I will trust anybody who has access to the email inbox anyway, since you can reset your password
• Users can of course only validate (and therefore autologin) once

I am asking because sending a link that logs you in automatically makes me feel like I am missing something.

Answer 1

It is better if you at least ask them for their password for email verification. That way, you actually verify that the email address belongs to the user.

If you auto-login, you just verify that the email address exists and that the user this email address belongs to wants access to the account.

Regarding your third point: you hopefully only trust the person(s) with access to that address once you have verified that the address actually belongs to the user (which you could do by asking for the password during verification).

Answer 2

Yes you can. It's quite reasonable. As long as, as you say, you only allow it once for the given generated URL.

Slightly off-topic rambling: Though I'm slightly biased about this approach, because I happen to think that email-based login (i.e. generated login token sent to the email) is the one of the "better" ways to prevent phishing in general, because it takes away the need for the user to even know their password for your site (they just need to go to it and request a 'login' token). Anyway, that's another matter.

Answer 3

Yes I think you should log them in automatically. It'll be even more annoying if they have to verify their email and then log in again. What's the point of the verification then? If the verification is successful that means you already trust them, so log them in.