Secure logging in via email link

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
mat106
Forum Newbie
Posts: 16
Joined: Wed Aug 31, 2005 2:52 am

Secure logging in via email link

Post by mat106 »

Hello all,

I have a website that requires users to login with a username and password but i also need to be able to allows users to login via a link included in an email each user receives each time the site is updated.

At the moment the username and password from the login form on the website is passed to the script using POST and compared to a username and password hardcoded into the script (1 username and password for all).

Options i've considered for logging in directly from the email are:
1. Passing the username and password as GET data
2. Passing the username and password as POST data using hidden form fields.

However both of these methods are insecure and i need a secure alternative. Any idea on how i can go about it?

Thanks.
User avatar
dbevfat
Forum Contributor
Posts: 126
Joined: Tue Jun 28, 2005 2:47 pm
Location: Ljubljana, Slovenia

Post by dbevfat »

If you provide a login link, it will be insecure anyway. Option 1, however, is the prefered choice, since not all email clients will interpret forms correctly (or allow their use for that matter).

Your best choice, if you really want a login link, is to send username and password via GET, but use SSL for security. This way, the plain username/password will not be sent over to the server. However, the link still holds this information, so if that is the problem, you'll have to go without that automation.

Best regards,
G
omega-systems
Forum Newbie
Posts: 14
Joined: Tue Sep 27, 2005 5:01 am
Contact:

Re: Secure logging in via email link

Post by omega-systems »

It's not good idea to have alone username/password pair for all users. Create username/password pair for each user and store them in database. Use Get/Post method to login. Instaed of usage http https can be used.
mat106
Forum Newbie
Posts: 16
Joined: Wed Aug 31, 2005 2:52 am

Post by mat106 »

Thanks for your replies. Any other opinions on the matter, anyone?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

use a newly computed (and unique to the user) hash instead of their username and password. Avoid sending their real login information as much as possible. Any preference changes, require them to login again if it was from this hash. Trust nothing.
mat106
Forum Newbie
Posts: 16
Joined: Wed Aug 31, 2005 2:52 am

Post by mat106 »

Ok...So lets say i produce an md5 hash for each subscriber from a string that is a combination of a timestamp and something that is unique to each user. I then include the unique hash for each user as a query string of the link in the email for each user as well as storing all of the md5 hashes in a database.

Given that i don't want the user to have to type in a password before he/she reaches the relevant page, when the user clicks the link in the email, i would then check the value of the query string against the table of md5 hases in the database and if the query string is one of the entries in the database i grant the user access.

Would that be more secure compared to the other methods mentioned in the thread and WHY? Keeping in mind that having the user enter a password before reaching the relevant page is not really an option, is there any way of making this even more secure?

Thanks.
Last edited by mat106 on Tue Sep 27, 2005 5:28 pm, edited 1 time in total.
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

you could always mix a cookie into the equation as well....
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Would that be more secure compared to the other methods mentioned in the thread and WHY? Keeping in mind that having the user enter a password before reaching the relevant page is not really an option, is there any way of making this even more secure?
Its more secure because you're no longer requiring the user to send their password in plain text - you're just using a hash. To improve, ensure the hash is deleted when used (after authentication). Also remember that you don't want a user to start bookmarking this link - what if they post it to a public forum (not being insulting - but users can be almightily stupid sometimes ;)).

If this link is going to be a completely permanent solution, then the user is no longer literally typing in their password. Ignoring passsword remembers (a la Firefox), this can be misused if the PC is shared, and/or someone else can view the browsing history for your site stored by the browser.

Not sure about cookies (mentioned earlier) unless we're talking a Remember Me feature. In any case I would force a login for any higher level actions...
Post Reply