tags:

views:

432

answers:

3
+3  Q: 

How to implement Querystring authentication

I’m developing a website of a client and they are sending out newsletters to their customers (through the website administration interface) The newsletters are personal to each of the subscribed recipients/customers. Each recipient/ customer is also a user with a username/password that enables them to sign in on the website and manage their newsletter subscriptions and participate in the sites community.

This all works like a charm. Now my client want a “Manage my subscriptions” link in the newsletter email that when pressed automatically signs the recipient/customer in on the website with no need to remember username and password.

This could be easily solved be making a link like this:

http://mysite.com/manage.aspx?user=peter&password=hounddog

Of course information should not be clear text but encrypted in some way.

This however poses a problem since the only way a user can be authenticated on the website if by providing a valid username and password. In the name of security, passwords are stored as hashed values in the database making it impossible for me to insert the password in the link.

What is the best way to accomplish this without compromising the security?

+5  A: 

You will have to compromise your security somewhat, if you want people to be able to login without entering password. Note that even if you had access to the password (as in your example), you would have to embed it in a mail massage which would be transmitted in plaintext.

You can create a Guid associated with each user and message, and append it to the URL, and allow that to login automatically.

You could perhaps isolate the permissions so that a login through a newsletter guid link only allows the user to manage subscriptions, but that a real password-login is still required to participate in the forum. In that case its pretty limited what havoc can be wrecked if someone gets access to a Guid from a mail message.

JacquesB  2008-10-07 12:47:36
This is what I have done in the past. Remember to map the GUID and the user's name in a separate table
Rob Allen  2008-10-07 13:13:17
+1  A: 

What about using an encrypted cookie that contains an access token ? This cookie would be delivered after a successfull authentication by a separate page.

This kind of token can also be part of the URL query string.

Also you might consider using secured https instead of http.

controlbreak  2008-10-07 12:48:40
+1  A: 

Could you not insert an encrypted user name bundled with the hash value of the password?

What I mean is, encrypt & encode the user name to always be a particular length or to have a known break character in it then append the passwords hash value. this way, you could break apart the query string easily while still having the user name and password securely encoded. A straight compare of the hash values would be enough, with the unencrypted, decoded user name to allow access.

Captain Toad  2008-10-07 12:50:20

related questions

Web framework programming mindset
ASP.NET - asp:xxx Controls versus standard HTML
From Desktop to Web browser considerations
Which PHP Framework will get me to a usable UI the fastest?
Best practice for integrating TDD with web application development?
How to Manage Web Development?
When is a file just a file?
Recommendations for browser add-on tools to help with development
REALLY Simple Website--How Basic Can You Go?
Convince Firefox to send an If-Modified-Since header over HTTPS
What do the getUTC* methods on the date object do?
Planning and Building a mobile enabled site for your main site.
Firebug for IE
Javascript and PHP - Login Script with hidden buttons
Firebug won't display console feeds for some of my sites
Displaying ad content from Respose.WriteFile()/ Response.ContentType
How can I detect if a browser is blocking an popup?
How to Test Web Code?
What PHP framework would you choose for a new application and why?
How do you disable browser Autocomplete on web form field / input tag?
What is Progressive Enhancement?
In HTML, how to word-break on a dash?
The Definitive Guide To Website Authentication
How do you test layout design across multiple browsers/OSs?
How much of the Web build process do you/should you automate?