Autologin for web application

Posted by Maulin on Stack Overflow See other posts from Stack Overflow or by Maulin
Published on 2010-06-02T13:21:44Z Indexed on 2010/06/02 13:23 UTC
Read the original article Hit count: 340

Filed under:

web-development

|

security

|

autologin

We want to AutoLogin feature to allow user directly login using link into our Web Application. What is the best way achieve this?

We have following approches in our mind.

1) Store user credentials(username/password) in cookie. Send cookie for authentication.

e.g. http: //www.mysite.com/AutoLogin (here username/password will be passed in cookie)

OR Pass user credentials in link URL.

http: //www.mysite.com/AutoLogin?userid=<>&password=<>

2) Generate randon token and store user random token and user IP on server side database.

When user login using link, validate token and user IP on server.

e.g.

http: //www.mysite.com/AutoLogin?token=<>

The problem with 1st approach is if hacker copies link/cookie from user machine to another machine he can login.

The problem with 2nd approach is the user ip will be same for all users of same organization behind proxy.

Which one is better from above from security perspective? If there is better solution which is other than mentioned above, please let us know.

© Stack Overflow or respective owner

Related posts about web-development

Web Development - How to Get Started in Web Development

as seen on Ezine Articles - Search for 'Ezine Articles'
11 years ago I purchased a book about basic HTML development. A purchase that would end up defining my entire professional career. I bought it because I wanted to create a web page for a school project. This was in the days of Geo city sites and it looked absolutely horrible. >>> More
PHP Web Development, Web Development Using PHP As an Open Source

as seen on Ezine Articles - Search for 'Ezine Articles'
PHP is a widely-used general-purpose scripting language that is especially suited for web development and can be embedded into HTML. PHP is the most famous language nowadays as it is an open source and web development requires no costs in implementation. >>> More
How to get full query string parameters not UrlDecoded

as seen on Developer IT - Search for 'Developer IT'
Introduction While developing Developer IT’s website, we came across a problem when the user search keywords containing special character like the plus ‘+’ char. We found it while looking for C++ in our search engine. The request parameter output in ASP.NET was “c “.… >>> More
Tracking download of non-html (like pdf) downloads with jQuery and Google Analytics

as seen on Developer IT - Search for 'Developer IT'
Hi folks, it’s been quite calm at Developer IT’s this summer since we were all involved in other projects, but we are slowly comming back. In this post, we will present a simple way of tracking files download with Google Analytics with the help of jQuery. We work for a client that offers… >>> More
What is the best .NET web development framework?

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm looking for a framework to simplify the creation of a website with social networking features and plenty of custom functionality. I'm quite keen to use an ORM like nHibernate or similar for data access. Would DotNetNuke be a good choice? Or are there other options which are better. Added: I'm… >>> More

Related posts about security

sudo apt-get update errors

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
Here is what I get on my terminal when running sudo apt-get update errors. I dont know if the issue is from my sources.list or my proxy setup(have not made any changes to proxies). Thank you for any help in advanced. Ign http://security.ubuntu.com oneiric-security Release.gpg Ign http://security… >>> More
The Security-Developer Gap: Why IT Security Can't Fix Your Security Problems Alone

as seen on Devx - Search for 'Devx'
Two well-known white hats explain how hackers take advantage of security holes left by enterprise application developers. >>> More
The Security-Developer Gap: Why IT Security Can't Fix Your Security Problems Alone

as seen on Internet.com - Search for 'Internet.com'
Two well-known white hats explain how hackers take advantage of security holes left by enterprise application developers. >>> More
StackOverFlowError while creating Mac object on AS400/Java

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello all, I am a newbie to AS400-Java programming. I am trying to create my first program to test the implementation of Message Authentication Code (MAC). I am trying to use the HMACSHA1 hash function. My (Java 1.4) program runs fine on a dev box (V5R4).But fails terribly on the QA box (V5R3). My… >>> More
Google App Engine - Spring Security Issue (java.security.AccessControlException)

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm currently getting the AccessControlException below when I deploy to app engine (I don't see it when I run in my local environment). I'm using GAE 1.3.1, Spring 3.0.1, and Spring Security 3.0.2. Any ideas how to get around this issue? It appears to be an issue with Spring Security trying to get… >>> More