undefined | Better HN

0 pointso9991y ago0 comments

Not necessarily, some services would have the magic link verify the session that triggered it regardless of browser or device.

I assume it generates a session on the post-login screen and authorize that session upon accessing link

0 comments

ydant1y ago

That has the problem of opening up an attack where the attacker requests the sign-in link, the person receiving the link blindly clicks it, and the attacker now has access.

People blindly click links all the time. It would have a low success rate, but would be more than 0%.

j / k navigate · click thread line to collapse

0 pointso9991y ago0 comments

Not necessarily, some services would have the magic link verify the session that triggered it regardless of browser or device.

I assume it generates a session on the post-login screen and authorize that session upon accessing link

0 comments

ydant1y ago

That has the problem of opening up an attack where the attacker requests the sign-in link, the person receiving the link blindly clicks it, and the attacker now has access.

People blindly click links all the time. It would have a low success rate, but would be more than 0%.

j / k navigate · click thread line to collapse