URL Based Authentication Link

Question

What are some good suggestions or resources to look at to help me secure a single click URL based authentication?

Essentially, the situation is a third party system which accepts an HTTPS request, through the browser, where you supply authentication information (un, pw, authkey, ect...). The service then, upon authenticating the provided credentials, will allow or deny login access. The point being, that if someone clicks on the link, they're automatically granted access to this third party system.

Currently, there isn't a whole lot of security surrounding the whole process, (which isn't a big deal because the product isn't in production yet) and the third party is willing to make some modifications to secure this up a bit.

I've already determined I need to hash the information, and probably even submit it via a POST to prevent it from showing information in the browser history. But I'd like a little input on how you all would handle something like this.

[Edit: Requests are and will continue being sent via HTTPS. I also modified the HTTP previously used to be HTTPS]

Answer 1

1. Don't think about "secure this up a bit". It's either secure from the ground up, or it's got holes that will cost you dearly.

2. Look at HTTP Digest Authentication. It's simple, reliable and works well under most circumstances.

3. Look at the OWASP.org top-10 vulnerabilities. Be sure you understand and address each one.

Answer 2

You should probably use HTTPS to avoid the credentials being eavesdropped upon while in transit to the third party web server.

Answer 3

Protect yourself from using stale link to gain access to the application. Make the link be dependent on current time value