Passing login through link??

mariakovacs · December 18th, 2003, 04:37 PM

I know this question is absolutely crazy, but before I say "NO,YOU CAN'T DO THIS" to the client I would like to know there is a way (or no way) to solve this

I have a demo page of a members-only portal. My client wants to show a page that is accessible only to members. Is there a safe way to pass login information through this link? I maybe like a session login...?

Say if I have a trial account set up, can I pass login info through this link?

but maybe this just puts a big security hole on my portal....?

planoie · December 18th, 2003, 04:56 PM

You can most certainly do this, and in reality it's no bigger a security hole than another other form of login on a site. You can use the same precautions to protect the user with either method.

All you need to do is provide the ability to put the login credentials (username, password) in the querystring of the link.

http://www.mywebsite.com/login.asp?u...sword=Password

Simple as that. If you want to protect it, you could force the link to be HTTPS so the request is encrypted.

Peter
------------------------------------------------------
Work smarter, not harder.

mariakovacs · December 18th, 2003, 05:26 PM

That is actually something that I tried. Since it did not work I thought it is something I just can't do through a URL.
This is what happens:
I enter:
http://www.mywebsite.com/login.asp?u...sword=Password
and it kicks me into the login page with an encoded URL.

Why?

Maria

mariakovacs · December 18th, 2003, 05:29 PM

http://www.mywebsite.com/login.asp?r...ord%3DPassword

planoie · December 18th, 2003, 06:10 PM

Well, if your system is set up in such a way that you have to log in to access ANYTHING on the site, then you are out of luck. But you should at least be able to access the login page (not much sense in securing that).

I just used that URL as an example to show that whatever your public login page is, you could simply add in the functionality that checks for values on the URL for "automatic" login.

Peter
------------------------------------------------------
Work smarter, not harder.

mariakovacs · December 18th, 2003, 06:20 PM

I tested 2 URLs with 2 identities. One is my own that has a cookie on my system, and one that is completely new.

I completely logged out and used my own login info in the URL and that logged me in right away through the URL.
When I used the new log in that has not been used in the login page yet(thus no cookie) I got an encoded URL and was thrown to the login page.

So, does this mean that unless the person has already went through the login page and got a cookie for that login, they won't be able to logged in through the URL??

planoie · December 18th, 2003, 06:25 PM

This is getting a tad confusing. Is this site you are trying to "auto login" to one that you have control over? I'm beginning to think that this is not the case.

Peter
------------------------------------------------------
Work smarter, not harder.

planoie · December 19th, 2003, 11:27 AM

The original question posed in this thread was "Can I perform a login thru a link?"
The answer is yes, you can.

Are you unclear about what you actually need to do to make the login work? It sounds like your system is also looking at some cookie values for critical information concerning login. Can you explain what process your go thru when you log in from the login form?

Peter
------------------------------------------------------
Work smarter, not harder.