Anything particularly wrong with putting an auth code in marketing emails?
I've been working on my first project, and my initial registered users haven't been particularly sticky. I'd like to send them an email with some news and information and have them be instantly logged in when they hit the call-to-action link. I was thinking about generating an auth code with PHP's random_bytes(), and storing it in a table with their corresponding user_id.
So basically, the email would be:
Hey oldUser2017, newUser2018 sent you a message! Click
<a href="http://mysortofokproject.com/message/20992?authCode=657f8b8da628ef83cf69101b6817150>here</a>to see it instantly and not even have to log in or reset your password or anything annoying!
And on the backend
userId = getUserIdFromAuthCode($get['authCode'])
if(userId){
$session = getUserDetailsFromUserId(userId)
}
Given that this is how we authenticate an email address and activate an account:
- What would be so bad about me doing this?
- Is PHP's
random_bytes()good enough, and what length would you use? - Should it expire?
