In my question and answer application, Joe signs up, logs in and adds a question

Question

In my question and answer application, Joe signs up, logs in and adds a question. He then shares the question via email to his trusted friends.

How safe is it to provide a link within that app generated email to allow his friends to directly respond to the question without having to register on the site?

The key goal is that I would like the user's friends to be able to respond to his question without having to register on the application site. Assume that the link embeds the email id of the receiver, so the app can map each response to the email id that initiated that link.

What precautions do I need to include to avoid or detect malicious clicks on that link?

Explanation / Answer

Including a unique identifier or token in each individual e-mail is the best bet. This token should be random, hard to guess, and from a large enough set that randomly entering values will never produce a valid token.

These tokens should then be limited in the scope and scale of what they can do. If you limit the users to a single response and commentary on that response, then sharing the link will be largely mitigated as only one main entry can be made from that e-mail without registering.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.