Should the user be logged in when clicking on the verify email link?
- I have a webapp with signp/signin
- User does a signup with email password or a sign in via Google Twitter Facebook or GitHub
- If user is new, then an email is sent to this user to verify their email account while they get redirected to the home page
- This email contains a link like https://example.com/verify/4f476f1a9c861ddc3... a random token generated for that user and saved to database
- The user may open the email immediately or may open it after a few hours
- In say 24 hours, the link will expire
- Should the user be logged in when clicking this link?
- What should happen if the user is logged out?
- Also when the user clicks verify email to generate a link? should a new token be generated each time? Is there a limit here to prevent getting attacked by some hacker?