I envision a login / registration system in which the user enters his email and receives an email with a link to connect. The user clicks on the link and logs in automatically (confirming the email address in the process).
This would be a form of authentication without a password.
The problem I see with this approach is that a link will send a GET request – but this GET request will change the state of the user session (enable it).
GET requests should (according to the HTTP standard) never have any side effects. This is something that browsers also assume, which means that they can pre-extract GET queries to optimize performance / user experience.
Suppose you use Gmail in the browser. Could it then happen that the browser takes the link in the email in advance?
It would be a huge security problem if just opening the email was enough to connect to the site.
What I have considered
Am I right in assuming that?
Is it bad practice to do it this way?
Using an HTML form in the body of e-mail
Another option would be to place a form in the email, which would allow a POST request directly from the email.
However, it appears that many email clients will block form submissions in emails. Email clients that allow form submissions tend to warn the user that the mail is likely malicious. It seems like it's not really a good solution.