Jump to content

sending login information through link

Vaclavious

By Vaclavious
in PHP Coding Help

 Share

Recommended Posts

Vaclavious Newbie

Vaclavious

Posted
Posted

hello all

i'm still a noob concerning php, but i was wondering if it would be possible to program something that crossed my mind and found this site when searching for answers.

 

anyway, i want to be able to log on to my site directly by clicking on a link on another site. most of the activation links when registering on the site logs you in directly, and i want to do the same thing (on already activated accounts obviously). so i guess i'll need a script where i'll write down my username, password and link to the site, and everything should be stored in the database, and then create a link that will gather those informations and log me in on selected site.

i probably wont be able to program it, so i'll pay a professional to do it, but i'm just wondering if it is possible, and should i be worried about the security of that method?

 

i hope i described it well, and thanks in advance for answers.

 

Vaclavious

Link to comment
https://forums.phpfreaks.com/topic/131045-sending-login-information-through-link/
Share on other sites
genericnumber1 Member

genericnumber1

Posted
Posted

Yeah, you shouldn't use that method. I don't know any websites that do as.. well... frankly, it would be stupid. Most websites that do something similar log you in when you sign up for the account and then send you an activation email for you to click.. it activates your account and you're still logged in from before. That is the only method where I could see something like this being beneficial.

laffin Newbie

laffin

Posted
Posted

Yes, its possible.

ya wud never use yer login info in yer link.

Usually such links are ip based, meaning, ya wud make a link for each location ya plan on. and possibly temp links (links good for only a few logins or a period of time)

 

but the options are pretty much endless

 

laffin Newbie

laffin

Posted
Posted

using md5 with various bits of info

 

$link="http://my.site.com/qlogin.php&key=". md5($username . $password)

 

wud be the simplest form, of course ya want more static info in there.

but ya can save the key into the db, and create these keys with other non static info, if done with a db, ya can also throw in  all sorts of info.

Such as IPs allowed

Date restrictions

Expirations

 

and so forth

genericnumber1 Member

genericnumber1

Posted
Posted

using md5 with various bits of info

 

$link="http://my.site.com/qlogin.php&key=". md5($username . $password)

 

wud be the simplest form, of course ya want more static info in there.

but ya can save the key into the db, and create these keys with other non static info, if done with a db, ya can also throw in  all sorts of info.

Such as IPs allowed

Date restrictions

Expirations

 

and so forth

 

This is still very insecure. There are no safe methods.

Vaclavious Newbie

Vaclavious

Posted
  • Author
Posted

so if i create a web page that only i have access to, and put a script that will gather link to my other web site, username and pass from a database on click, it is still unsecure? can i ask on what kind of attacks am i vulnerable to (providing my first site and my database on that site are secure enough)?

genericnumber1 Member

genericnumber1

Posted
Posted

What do you mean "only you have access to"?

 

say you click this link with the suggestion the person above had...

http://my.site.com/qlogin.php&key=2lkfnl2k34tn2lkt239 (or whatever)

then you decide to, say, click an affiliates link you have at the bottom of your page... up pops your referrer link on their website logs referrer: "http://my.site.com/qlogin.php&key=2lkfnl2k34tn2lkt239".

They type it in their browser and there they go, they're in.

 

Also, using this method would require you to keep the passwords in your database unencrypted so that you can compare the username/password md5 to the login submission. Even if you keep them encrypted and compare the username/md5(password) it creates a secondary security vulerability. If someone does get into your database (it happens to big websites all the time, it can happen to you) with the username/md5(password) they can use it to log into your website through this qlogin.php page, essentially making your encryption procedures worthless.

 

What's wrong with logging in manually?

laffin Newbie

laffin

Posted
Posted

I take it ya missed the part about using various static info.

one of them being IP.

 

there was a reason for using a db for these keys as well.

but ya have to read the whole post in order to get a hint of what can be done.

 

and I did say that was a simple form.

 

using md5, and 5 pieces of info from the user profile/details.

I have helped a friend make a 96 character key, 3 md5's checksums tied together. these keys have a lifespan of 2 weeks. so all in all not a bad system.

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.