I´ve successfuly configured auto-login and now I can allow clients to see their invoice with one-click from the email, instead of forcing them to login to pay something.
The problem is: Emails are not secure so it may happen that someone gets a copy or get access to the client email, so in possession of the special URL (with hash and all), he will be FULLY logged in the system, for anything that he/she wishes to do.
My suggestion: Create some kind of option to one of those:
1. Limit that some pages will have to have manual login, even if auto-login was used at first (Ex: See/Edit Client personal data, or purchase plans, or cancel plans, see Services, Manage Services, etc...)
2. Prevent browsing after auto-login. So if a user came to see his invoice, that'd be all he would see without being asked for manual authentication. Same for tickets.
I guess this is importante. Please consider.