Not asking for credentials when accessing from mail notification

(OJS 3.1.1-4)

When I’m assigned a (eg., review task) I get an e-mail with the url for the task. Ok.

But if I click in the link provided, I’m logeed in automatically (no need to enter credentials).

Tried both from PC and mobile device. Is this behaviour correct?
Could it be a browser’s or OJS cache issue or is this the normal operation?

Thanks in advance for your reply.


Hi @jascanio,

Do you see a key parameter in the URL? If so, then the link includes an access key that can bypass the user login process. This is used in peer reviews, and can be disabled in setup if you would rather not see that behavior.

Alec Smecher
Public Knowledge Project Team

Hi @asmecher,
Thanks for your reply
Yes I see a key parameter in the url.
I may consider disabling this behaviour. If mail is forwarded to a third party, I understand the addressee will also be able to login.

One question: is the value after the key parameter the password of the user?


No, it is a dedicated access key, distinct from the user’s password.

Hi @ctgraham,

Ok, thanks for your reply.