I'm having a situation where it appears that some email validation links that I send as part of my registration process are being prematurely clicked by anti-phishing/anti-spam software. This validates the user account, removes that validation token, and logs the user in to the session. Then, when the actual user clicks the link in the HTML email, the site says that it cannot find the validation token.
Has anyone else experienced anything like this? Are there any tips to designing email validation registration workflows that can work with these type of anti-phishing software?
The user agents for hitting my own registration process are as follows
Real user registers:
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
First robot hits validation link:
"Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) PhantomJS/1.9.8 Safari/534.34"
Another robot?:
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586"
Same robot as above but this time it includes a referrer (my break in the link):
http: //cp.mcafee.com/d/1jWVIe4x0g3zqb3XWabWqq9KVJ6WrybPP8VASztdN4QsTvd7bNJ6WrybPP8VwSyyOUCMyOMedNBoDSJQDa0aFI43_zOVKCMgf-fbCQQ2310wU_R-jhj76zB-_nKnjjsuVxx5VNy_bnjIyyHt57BgY-F6lK1FJ4SyrLOtXTLuZXTdTdAVPmEBCjzJyF_KPVv8-hBivNMPYpeBI9nt741N1dV15N5RZRSPWtJ8mv8f
This list goes on and on with the PhantomJS browser and the "Chrome/Safari/Edge" browser with the mcafee referrer bouncing back and forth until the real person clicks the link and gets presented with an error.
Has anyone ran into this problem created registration workflows?
UPDATE I accepted the AJAX answer because it does fix the problem, but I'm still interested in discussion of the design of email validation systems and whether or not anybody else has run into this problem.
As a general rule, GET requests should never do anything.
You could put a button on the verification URL that needs to be clicked, or make an AJAX call with JavaScript when the page loads. The antivirus software is unlikely to execute JavaScript, and it certainly shouldn't go around clicking buttons.