Autologin for web application

Posted by Maulin on Stack Overflow See other posts from Stack Overflow or by Maulin
Published on 2010-06-02T13:21:44Z Indexed on 2010/06/02 13:23 UTC
Read the original article Hit count: 373

We want to AutoLogin feature to allow user directly login using link into our Web Application. What is the best way achieve this?

We have following approches in our mind.

1) Store user credentials(username/password) in cookie. Send cookie for authentication.

e.g. http: //www.mysite.com/AutoLogin (here username/password will be passed in cookie)

OR Pass user credentials in link URL.

http: //www.mysite.com/AutoLogin?userid=<>&password=<>

2) Generate randon token and store user random token and user IP on server side database.

When user login using link, validate token and user IP on server.

e.g.

http: //www.mysite.com/AutoLogin?token=<>

The problem with 1st approach is if hacker copies link/cookie from user machine to another machine he can login.

The problem with 2nd approach is the user ip will be same for all users of same organization behind proxy.

Which one is better from above from security perspective? If there is better solution which is other than mentioned above, please let us know.

© Stack Overflow or respective owner

Related posts about web-development

Related posts about security