Should the user be logged in when clicking on the verify email link?

  • I have a webapp with signp/signin
  • User does a signup with email password or a sign in via Google Twitter Facebook or GitHub
  • If user is new, then an email is sent to this user to verify their email account while they get redirected to the home page
  • This email contains a link like https://example.com/verify/4f476f1a9c861ddc3... a random token generated for that user and saved to database
  • The user may open the email immediately or may open it after a few hours
  • In say 24 hours, the link will expire
  • Should the user be logged in when clicking this link?
  • What should happen if the user is logged out?
  • Also when the user clicks verify email to generate a link? should a new token be generated each time? Is there a limit here to prevent getting attacked by some hacker?