#StackBounty: #session-management What exactly are the session injection concerns when using Firebase Signin Links?

Bounty: 100

I’m guessing this applies to all implementations of sign-in links, but since I’m using Firebase I’d like to understand their concerns: https://firebase.google.com/docs/auth/web/email-link-auth#security_concerns

Do not pass the user’s email in the redirect URL parameters and re-use it as this may enable session injections.

What exactly are the concerns here?

Knowing that Firebase sign-in links:

  • Expire after 6 hours
  • Can only be used once

Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.