Wp-calypso: Emails: Reengagement / promotion emails should log customers in automatically

Created on 18 Apr 2019  路  6Comments  路  Source: Automattic/wp-calypso

Example email with call to action:

Screen Shot 2019-04-18 at 2 57 11 PM

Screen I'm brought to when I click the call to action:

Screen Shot 2019-04-18 at 2 57 23 PM

We have the means to make the action button in emails log customers in automatically, but we don't seem to be using that.

In the context of reengagement, it鈥檚 pretty likely that customers will have a hard time logging back in, so it seems like a great opportunity to use the auto log in option.

@scruffian says:

There is a library which generates log in links for emails; we need to wrap links in emails to use this library.

@lancewillett says:

I believe this was worked on by David Rothstein on Neutron: p8hgLy-11n-p2

Email FixTheFlows Marketing [Impact] High [Type] Enhancement
Source
picture sixhours

All 6 comments

Are there any security concerns we have with logging people in automatically from a link in a reengagement email? I realize we do that with the magic login emails, but those are sent as the result of a direct action on WordPress.com. These are not.

I agree it's a better experience for the intended user, but should we also make it that easy for someone to gain unauthorized access to WordPress.com from a passive promotional email?

danhauk picture danhauk on 1 May 2019

There might be yes, but I think the library has that taken care of. See p58i-7dn-p2 for more details!

scruffian picture scruffian on 1 May 2019

Ah, I guess it would also help if I read the post linked in the original description. Pulling details out here for clarity:

Whether or not we are actually able to automatically log a user in depends on a number of security considerations.

Automatic login:

This happens if the user clicks on the link from a browser they鈥檝e logged in from before, and if the link is less than a week old.

Confirm login:

This happens if the user clicks on the link from a browser they鈥檝e never logged in from before, and if the link is less than an hour old.

Cannot safely log the user in:

Typically this happens if the user clicks on a link that is too old.

danhauk picture danhauk on 1 May 2019

I made a patch for this: D28125-code

scruffian picture scruffian on 13 May 2019
👀1 🎉1

@scruffian Tested and accepted D28125-code patch. 馃憤

donpark picture donpark on 13 May 2019
🎉1

D28125-code is merged, but there are a lot more emails that need doing, so I'll move this back to the backlog...

scruffian picture scruffian on 16 May 2019
1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rickybanister picture rickybanister  路  3Comments
hoverduck picture hoverduck  路  3Comments
vparkhere picture vparkhere  路  3Comments
ghost picture ghost  路  3Comments
lamosty picture lamosty  路  3Comments