We send transactional emails all the time. If the links opened in the main browser where the user actually has a session cookie, things would be fine. But these days, GMail etc. just launch the link in a mini-browser and the user is simply logged out. For example the link to “manage my subscriptions”.
I thought of having “magic link” information in the transactional emails, to log the user in. However, what if they forward this email to others? A real “magic link” is usually sent in an email that is meant to be acted on quickly (to log in) and it’s clear to the user from the flow that they shouldn’t forward it. But a transactional email can be forwarded months later, and it would inadvertently be sharing links to log in as that user.
One thing I was thinking about is to have a password, that the user chose when registering maybe, and they have to enter it when clicking a magic link. The great thing is that passwords seem to be autofilled across the browser and webview in ios and android. Is this actually true for domains other than gmail’s associated domain? Maybe not!
So the user would have to enter their password manually and log in. After this I guess the webview cookie store or localStorage may let the user stay logged in indefinitely. Or maybe it gets cleared after a while?
Basically, my question is – how can I make it convenient for the user to automatically log into their account after following a link, but not let the recipient of a forwarded email do the same?