Autologin for web application
Posted
by Maulin
on Stack Overflow
See other posts from Stack Overflow
or by Maulin
Published on 2010-06-02T13:21:44Z
Indexed on
2010/06/02
13:23 UTC
Read the original article
Hit count: 373
We want to AutoLogin feature to allow user directly login using link into our Web Application. What is the best way achieve this?
We have following approches in our mind.
1) Store user credentials(username/password) in cookie. Send cookie for authentication.
e.g. http: //www.mysite.com/AutoLogin (here username/password will be passed in cookie)
OR Pass user credentials in link URL.
http: //www.mysite.com/AutoLogin?userid=<>&password=<>
2) Generate randon token and store user random token and user IP on server side database.
When user login using link, validate token and user IP on server.
e.g.
http: //www.mysite.com/AutoLogin?token=<>
The problem with 1st approach is if hacker copies link/cookie from user machine to another machine he can login.
The problem with 2nd approach is the user ip will be same for all users of same organization behind proxy.
Which one is better from above from security perspective? If there is better solution which is other than mentioned above, please let us know.
© Stack Overflow or respective owner