Page 1 of 1

Secure logging in via email link

Posted: Tue Sep 27, 2005 3:56 am
by mat106
Hello all,

I have a website that requires users to login with a username and password but i also need to be able to allows users to login via a link included in an email each user receives each time the site is updated.

At the moment the username and password from the login form on the website is passed to the script using POST and compared to a username and password hardcoded into the script (1 username and password for all).

Options i've considered for logging in directly from the email are:
1. Passing the username and password as GET data
2. Passing the username and password as POST data using hidden form fields.

However both of these methods are insecure and i need a secure alternative. Any idea on how i can go about it?

Thanks.

Posted: Tue Sep 27, 2005 5:49 am
by dbevfat
If you provide a login link, it will be insecure anyway. Option 1, however, is the prefered choice, since not all email clients will interpret forms correctly (or allow their use for that matter).

Your best choice, if you really want a login link, is to send username and password via GET, but use SSL for security. This way, the plain username/password will not be sent over to the server. However, the link still holds this information, so if that is the problem, you'll have to go without that automation.

Best regards,
G

Re: Secure logging in via email link

Posted: Tue Sep 27, 2005 5:52 am
by omega-systems
It's not good idea to have alone username/password pair for all users. Create username/password pair for each user and store them in database. Use Get/Post method to login. Instaed of usage http https can be used.

Posted: Tue Sep 27, 2005 6:04 am
by mat106
Thanks for your replies. Any other opinions on the matter, anyone?

Posted: Tue Sep 27, 2005 6:36 am
by feyd
use a newly computed (and unique to the user) hash instead of their username and password. Avoid sending their real login information as much as possible. Any preference changes, require them to login again if it was from this hash. Trust nothing.

Posted: Tue Sep 27, 2005 5:05 pm
by mat106
Ok...So lets say i produce an md5 hash for each subscriber from a string that is a combination of a timestamp and something that is unique to each user. I then include the unique hash for each user as a query string of the link in the email for each user as well as storing all of the md5 hashes in a database.

Given that i don't want the user to have to type in a password before he/she reaches the relevant page, when the user clicks the link in the email, i would then check the value of the query string against the table of md5 hases in the database and if the query string is one of the entries in the database i grant the user access.

Would that be more secure compared to the other methods mentioned in the thread and WHY? Keeping in mind that having the user enter a password before reaching the relevant page is not really an option, is there any way of making this even more secure?

Thanks.

Posted: Tue Sep 27, 2005 5:20 pm
by Burrito
you could always mix a cookie into the equation as well....

Posted: Wed Sep 28, 2005 9:48 am
by Maugrim_The_Reaper
Would that be more secure compared to the other methods mentioned in the thread and WHY? Keeping in mind that having the user enter a password before reaching the relevant page is not really an option, is there any way of making this even more secure?
Its more secure because you're no longer requiring the user to send their password in plain text - you're just using a hash. To improve, ensure the hash is deleted when used (after authentication). Also remember that you don't want a user to start bookmarking this link - what if they post it to a public forum (not being insulting - but users can be almightily stupid sometimes ;)).

If this link is going to be a completely permanent solution, then the user is no longer literally typing in their password. Ignoring passsword remembers (a la Firefox), this can be misused if the PC is shared, and/or someone else can view the browsing history for your site stored by the browser.

Not sure about cookies (mentioned earlier) unless we're talking a Remember Me feature. In any case I would force a login for any higher level actions...