Vaclavious Posted November 2, 2008 Share Posted November 2, 2008 hello all i'm still a noob concerning php, but i was wondering if it would be possible to program something that crossed my mind and found this site when searching for answers. anyway, i want to be able to log on to my site directly by clicking on a link on another site. most of the activation links when registering on the site logs you in directly, and i want to do the same thing (on already activated accounts obviously). so i guess i'll need a script where i'll write down my username, password and link to the site, and everything should be stored in the database, and then create a link that will gather those informations and log me in on selected site. i probably wont be able to program it, so i'll pay a professional to do it, but i'm just wondering if it is possible, and should i be worried about the security of that method? i hope i described it well, and thanks in advance for answers. Vaclavious Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted November 2, 2008 Share Posted November 2, 2008 Yeah, you shouldn't use that method. I don't know any websites that do as.. well... frankly, it would be stupid. Most websites that do something similar log you in when you sign up for the account and then send you an activation email for you to click.. it activates your account and you're still logged in from before. That is the only method where I could see something like this being beneficial. Quote Link to comment Share on other sites More sharing options...
laffin Posted November 2, 2008 Share Posted November 2, 2008 Yes, its possible. ya wud never use yer login info in yer link. Usually such links are ip based, meaning, ya wud make a link for each location ya plan on. and possibly temp links (links good for only a few logins or a period of time) but the options are pretty much endless Quote Link to comment Share on other sites More sharing options...
Vaclavious Posted November 2, 2008 Author Share Posted November 2, 2008 well, is there any solution that would be secore to use 24/7? Quote Link to comment Share on other sites More sharing options...
laffin Posted November 2, 2008 Share Posted November 2, 2008 using md5 with various bits of info $link="http://my.site.com/qlogin.php&key=". md5($username . $password) wud be the simplest form, of course ya want more static info in there. but ya can save the key into the db, and create these keys with other non static info, if done with a db, ya can also throw in all sorts of info. Such as IPs allowed Date restrictions Expirations and so forth Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted November 2, 2008 Share Posted November 2, 2008 using md5 with various bits of info $link="http://my.site.com/qlogin.php&key=". md5($username . $password) wud be the simplest form, of course ya want more static info in there. but ya can save the key into the db, and create these keys with other non static info, if done with a db, ya can also throw in all sorts of info. Such as IPs allowed Date restrictions Expirations and so forth This is still very insecure. There are no safe methods. Quote Link to comment Share on other sites More sharing options...
Vaclavious Posted November 2, 2008 Author Share Posted November 2, 2008 so if i create a web page that only i have access to, and put a script that will gather link to my other web site, username and pass from a database on click, it is still unsecure? can i ask on what kind of attacks am i vulnerable to (providing my first site and my database on that site are secure enough)? Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted November 2, 2008 Share Posted November 2, 2008 What do you mean "only you have access to"? say you click this link with the suggestion the person above had... http://my.site.com/qlogin.php&key=2lkfnl2k34tn2lkt239 (or whatever) then you decide to, say, click an affiliates link you have at the bottom of your page... up pops your referrer link on their website logs referrer: "http://my.site.com/qlogin.php&key=2lkfnl2k34tn2lkt239". They type it in their browser and there they go, they're in. Also, using this method would require you to keep the passwords in your database unencrypted so that you can compare the username/password md5 to the login submission. Even if you keep them encrypted and compare the username/md5(password) it creates a secondary security vulerability. If someone does get into your database (it happens to big websites all the time, it can happen to you) with the username/md5(password) they can use it to log into your website through this qlogin.php page, essentially making your encryption procedures worthless. What's wrong with logging in manually? Quote Link to comment Share on other sites More sharing options...
laffin Posted November 2, 2008 Share Posted November 2, 2008 I take it ya missed the part about using various static info. one of them being IP. there was a reason for using a db for these keys as well. but ya have to read the whole post in order to get a hint of what can be done. and I did say that was a simple form. using md5, and 5 pieces of info from the user profile/details. I have helped a friend make a 96 character key, 3 md5's checksums tied together. these keys have a lifespan of 2 weeks. so all in all not a bad system. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.