Login via email?

[piznac]

Ok,.. I am working on a Support Ticket type program. And I have come across a problem. There is an admin section where the "operators" can login and view open tickets and reply to them. Problem is they will get a link in an email to the ticket with the ticket number in url var.

 

What I dont want is to have an operator click the link only to have them login and lose the var(ticket id,..). Does that make sense? I want the link to log them in somehow. Not with it being a link via email I really have no way of knowing who that user is and if they really are that user. I think I could set the session var(username is set in a session var) with thier username (not sure how yet) but that seems very unsecure. Has anyone run into this before? If so,. what was your solution? Just a kick in the right direction is all Im looking for,.. Thanks!

[piznac]

What if I had another field in the database to define admins(I do already)... and create a different cookie for just admins that holds username & password. Can anyone see why this wouldnt be a good idea?

[Link]

I always find that logging in via email is very insecure.  You can do it by storing a unique variable in the address and associating it with the user in the database.  The problem is that you make the assumption that the email you send it to is the person who owns the account.  If you are at all worried about that, then it's not a good option.  There may be other security measures to take, but ultimately that's the concept.

 

Now, another option is that you could store that ticket number through the whole login process.  And then you could just redirect to the page after login.

 

Does that help?

[piznac]

hmmm,.. that may just be the way to go,.. didn't think about that. Thanks Link!

[Link]

I just hate to store cookies because they aren't too secure with that type of sensitive information.  That information is a websites most valuable information...so I hate putting them in places that are easy to get at.

[piznac]

Yeah I was thinking of storing the password in a cookie and encrypting it. But after your suggestion,.. Im thinking why even create the possible kink in the armor. They will just have to log in ..lol

[Link]

Yeah.  I am currently developing a site, and our designer just asked us if there was a way to keep them logged in for two weeks, so we just had this discussion.  There are ways to add more security on top of both options, but if you don't think it will deter the use of your system, why not just have them login every time, particularly if you are protecting sensitive information.

 

Another thing is you could store that unique string in a cookie and then when they visit again it logs them back in, and such.  It's the same concept as the email link.