We want to AutoLogin feature to allow user directly login using link into our Web Application. What is the best way achieve this?
We have following approches in our mind.
1) Store user credentials(username/password) in cookie. Send cookie for authentication.
e.g. http: //www.mysite.com/AutoLogin (here username/password will be passed in cookie)
OR Pass user credentials in link URL.
http: //www.mysite.com/AutoLogin?userid=<>&password=<>
2) Generate randon token and store user random token and user IP on server side database.
When user login using link, validate token and user IP on server.
e.g.
http: //www.mysite.com/AutoLogin?token=<>
The problem with 1st approach is if hacker copies link/cookie from user machine to another machine he can login.
The problem with 2nd approach is the user ip will be same for all users of same organization behind proxy.
Which one is better from above from security perspective? If there is better solution which is other than mentioned above, please let us know.