HMAC URLs instead of login?
Posted
by
Tres
on Stack Overflow
See other posts from Stack Overflow
or by Tres
Published on 2012-10-08T20:59:08Z
Indexed on
2012/10/08
21:37 UTC
Read the original article
Hit count: 219
In implementing my site (a Rails site if it makes any difference), one of my design priorities is to relieve the user of the need to create yet another username and password while still providing useful per-user functionality.
The way I am planning to do this is:
- User enters information on the site. Information is associated with the user via server-side session.
- User completes entering information, server sends an access URL via e-mail to the user roughly in the form of:
http://siteurl/<user identifier>/<signature: HMAC(secret + salt + user identifier)>
- User clicks URL, site looks up user ID and salt and computes the HMAC with the server-stored secret and authenticates if the computed HMAC and signature match.
My question is: is this a reasonably secure way to accomplish what I'm looking to do? Are there common attacks that would render it useless? Is there a compelling reason to abandon my desire to avoid a username/password? Is there a must-read book or article on the subject?
Note that I'm not dealing with credit card numbers or anything exceedingly private, but I would still like to keep the information reasonably secure.
© Stack Overflow or respective owner