Security of logging people in automatically from another app?

Posted by Simon on Programmers See other posts from Programmers or by Simon
Published on 2012-05-25T06:32:27Z Indexed on 2012/06/24 9:23 UTC
Read the original article Hit count: 372

Filed under:
|
|

I have 2 apps. They both have accounts, and each account has users.

These apps are going to share the same users and accounts and they will always be in sync.

I want to be able to login automatically from one app to the other.

So my solution is to generate a login_key, for example: 2sa7439e-a570-ac21-a2ao-z1qia9ca6g25 once a day. And provide a automated login link to the other app... for example if the user clicks on:

https://account_name.securityhole.io/login/2sa7439e-a570-ac21-a2ao-z1qia9ca6g25/user/123

They are logged in automatically, session created.

So here we have 3 things that a intruder has to get right in order to gain access; account name, login key, and the user id.

Bad idea? Or should I can down the path of making one app an oauth provider? Or is there a better way?

© Programmers or respective owner

Related posts about web-applications

Related posts about security