Username and password in a login link?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
fluvly
Forum Newbie
Posts: 10
Joined: Wed Sep 23, 2009 10:08 am

Username and password in a login link?

Post by fluvly »

I need to create a login link which includes username and password (taken from an intranet), so that when the user clicks it, he gets automatically logged in the website, without going to the login page.

Is it safe to include the username and password in the url?

I know nothing about is, and what the most secure way of doing it is. Any help on the matter would be really welcome!
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Username and password in a login link?

Post by pickle »

It's pretty unsafe, for a couple of reasons:
  • If you're able to put that information on a page, that means you have access to a user's username and password in plaintext. It's generally not a good idea to store a user's password in plaintext
  • If you're sending this information in an email, don't think it's secure. Email is extremely unsecure.
  • There's no way to guarantee that only the intended audience will see the link. You don't want to allow 3rd parties from accessing your site as someone else.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Username and password in a login link?

Post by kaisellgren »

A password should travel in the Internet as less as possible.

If the password is known by anyone/anything else except the user, then something is not right..
Post Reply