views:

223

answers:

3

Background

We are integrating third party email solution into our site. When a user goes to the Mail page it must be automatically authenticated at the Mail site.

For now, the Mail link points to our page which automatically submits a form with the user's login and password. After clicking submit the user is redirected to the Mail site with authentication cookie.

The problem with this approach is that we do not want the user to see his Mail password, because we generate it automatically for him and there are some sane reasons not to show it.

Question

Is there any way to receive mail authentication cookies without sending the login information to the client and performing form.submit operation from the client's browser? Is there a better way to do what I'm trying to do?

Edit

Of course "I am trying to do it programatically". Looks like that there are no sane solution except pass these login/password to the client. Looks like we must accept that user can see his mail password and somehow make sure he cannot use this information to change password to some other value we will not know.

A: 

Generate unique IDs before sending an email and put them as hidden instead of username/password into form. Make them disposable (usable only once or usable once before successful entering the site)

igorp1024
Store unique IDs in the database, of course...
igorp1024
And what I should do with that unique ID? I must pass username/password, because it is the only way I can login to the site (the interface). Mail provider will know *nothing* about my unique ID.
Roman
Ok, my idea was to (as far as I understood at that moment):1. generate unique ID which is stored in the database and determines the user.2. Send an email to the user containing this ID as hidden in form or (better) as parameter in URL (for example, "http://mysite.com/authenticate.do?id=12345")3. After user receives an email and clicks this link your application analyses the parameter and authenticates the session ( and marks this ID in the database as invalid or used)Sure, this requires Mail-provider code modifications...
igorp1024
+1  A: 

Lookup topics related to your mail vendor and "Pass-through Authentication." You did not mention what vendor/software you are using for your web mail solution, so I can't help you very much there. Other than forwarding the user's information (in a post request) to the login handler.

monksy
+1  A: 

Edit: I didn't read the post correctly, I thought he was trying to login to a remote mail application, not one hosted on his own server. Ignore this answer.

When you login to the remote third party mail website, they will create a cookie (since HTTP is stateless, it's the only way it knows the user is authenticated unless they store some kind of session ID in the url). When you send the user to that site, the site needs to know how to authenticate the user. Even if you logged in from your application and grabbed the cookie, you can set a cookie on the users browser for another website. The only way for this to work is if there is some kind of development API on the third parties website you can hook into, or they allow you to use session id's in the URL.

Possible solution but has a security risk If they allow you to set a session_id in the URL (for instance, PHPSESSID in PHP) then you could grab the session ID and append it to the URL when sending it to the user. I don't really like this idea since if the user clicks on a link in an e-mail, the new page will be able to check the referrer and see their session ID in the URL. This can become a huge security risk.

William
Still thanks for your time and effort
Roman
:), where is this application hosted? Is it on the same server?
William
I do not want name mail provider right now. It is **very** similar to Google Apps (domain mail), http://www.google.com/a/cpanel/domain/new. Of course it is on another server and with another domain name
Roman
Ah, so then my solution might be your best bet then. That is what my question was related to. You don't have another way unless you can work with the mail provider directly. Do they have any kind of API tools?
William