我提供一个网站注册的会员每周一次的邮件，其中包含的URL在该网站上的私人网页。

I am providing registered members of a website a weekly mailing which contains URLs to private pages on the website.

有关可用性的目的，我不希望用户必须提供凭据后，他们点击URL。

For usability purposes, I don't want the user to have to provide their credentials after they click on the URL.

我使用ASP.NET成员提供程序模型。

I am using the ASP.NET Membership provider model.

如何可以实现此，使得用户可以借助于点击一个专门URL链接被记录在？

How can I implement this so that the user can be logged in by virtue of clicking a specialized URL link?

推荐答案

您可以用一个很长的，随机生成的数字（例如GUID），​​这也是存储在数据库中向他们发送一个网址。当他们点击的网址，您的系统可以将GUID相匹配的用户账号和登录他们进来。

You could send them a URL with a very long, randomly generated number (e.g. a GUID), which is also stored in your database. When they click the URL, your system can match the GUID to their user account and log them in.

要破解这个，黑客就需要尝试的组合的数量巨大，而且可以迅速发现任何暴力攻击你的服务器日志，并禁止该IP地址。

To crack this, a hacker would need to try an enormous number of combinations, and you could quickly spot any brute-force attacks in your server logs and ban that IP address.

但你需要的，如果你认为这是值得的轻微的风险，以提高用户体验来决定的。

But you need to decide if you think it's worth the slight risk, in order to improve your user experience.

在一个项目，我最近工作的，这是非常相似，这一点，我们选择了在安全性更好的用户体验。

In a project I recently worked on, that was very similar to this, we opted for better user experience over security.

（顺便说一句，有办法可以让这个更安全，匹配的GUID，而不是登录的用户后，你可以只告诉他们的私人页面，但需要用户名/密码，如果他们点击远离它，另一家私人网页，也可以有GUID一段时间后过期，说3周。这限制了工作的GUID浮动围绕在被黑客可迷迷糊糊的量。）

(BTW, there are ways you can make this safer. After matching the GUID, rather than logging the user in, you could just show them private page, but then require a username/password if they click away from it, to another private page. You can also have the GUID expire after a period of time, say 3 weeks. This limits the amount of working GUIDs floating around that could be stumbled upon by hackers.)