Skip to content

Bind Magic Link to Requesting Device

Ensure magic links can only complete authentication on the device/browser that initiated the login request. Prevents token hijacking if a magic link is intercepted.

  • On login request:
  • If device_token cookie exists: reuse that token value and extend cookie expiry (supports multiple concurrent login requests from same browser)
  • If no cookie: generate new device_token (UUID v4)
  • Store token in DB associated with the magic link record
  • Set/update HTTP-only cookie with SameSite=Lax (required so cookie is sent when clicking link from email - Strict would block it)
  • On verification: compare device_token cookie to stored value
  • Cookie is required; if missing or mismatched, show error but do not invalidate the link
  • Error message: "This link is only valid on the device where you started the login. Please return to that device and try again."
  • Link remains usable on the correct device until expiration
  • Cookie expiration: 2x magic link TTL