2

I am providing registered members of a website a weekly mailing which contains URLs to private pages on the website.

For usability purposes, I don't want the user to have to provide their credentials after they click on the URL.

I am using the ASP.NET Membership provider model.

Question

How can I implement this so that the user can be logged in by virtue of clicking a specialized URL link?

Improve this question
4
  • 4
    I think the biggest pitfall you'll need to watch out for is the huge hole in security you'd be opening up. What happens if somebody other than the user gets hold of that email and clicks the link? They'd be logged into the system (probably as the user), which means they could alter the account details and post comments as the user, essentially stealing the account. Is that risk really worth the convenience of not entering a password to view a page? Commented Jan 2, 2010 at 10:57
  • I'am aware of the security issues but there is decided to go for better user experience. Commented Jan 2, 2010 at 11:49
  • If you are dead set on going this route, may I suggest you consider making the URL grant the user read-only access to the page in question (and only that page). If the user needs to modify the page, post comments to it, or navigate to a different part of the system (especially pages like account maintenance), they should then be asked for their login details. The URL would then be a sort of partial security token not unlike the ones generated by UAC in Windows Vista and 7. Commented Jan 3, 2010 at 1:57
  • I would urge anyone else who is considering doing this to not do it as the security risks are huge. Commented Jan 26, 2010 at 17:27

2 Answers 2

Reset to default
2

The way most sites deal with this is to have a "leave me logged in" checkbox on their main login page. When selected, it causes a long-duration cookie to be set in the user's browser. Then, when they click the link in your email, the site recognizes the cookie and authorizes access.

You might have to tweak the standard Membership provider a bit to do this, but it shouldn't be too bad.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You could send them a URL with a very long, randomly generated number (e.g. a GUID), which is also stored in your database. When they click the URL, your system can match the GUID to their user account and log them in.

To crack this, a hacker would need to try an enormous number of combinations, and you could quickly spot any brute-force attacks in your server logs and ban that IP address.

But you need to decide if you think it's worth the slight risk, in order to improve your user experience.

In a project I recently worked on, that was very similar to this, we opted for better user experience over security.

(BTW, there are ways you can make this safer. After matching the GUID, rather than logging the user in, you could just show them private page, but then require a username/password if they click away from it, to another private page. You can also have the GUID expire after a period of time, say 3 weeks. This limits the amount of working GUIDs floating around that could be stumbled upon by hackers.)

Improve this answer

4 Comments

I'd just like to point out that IP bans are a drastic (and somewhat pointless) attempt to improve security. A lot of people are allocated dynamic IPs by their ISPs, which means its quite possible for somebody that never made an attack on the site to be blocked because the previous holder of the IP lease did something stupid. Theres also the risk of people using public proxies to get past the ban. Finally, as I tried to point out in my comment on the question, the biggest risk is the user's email account, not the URL itself (people use stupid things for email passwords).
You're dead right about IP bans, but I don't get your comment about risks to the user's email account. Just sending the user an email with a URL doesn't make their email account more susceptible to hacking, unless your site is popular enough for hackers to try phishing.
My point isn't that sending an email to a user puts their email account at risk, rather I'm saying that user's email accounts are at risk, and if someone were to gain access to that account (and the email containing the URL stored within that account), your site would then be vulnerable since the URL is essentially a backdoor into it.
Yeah, I'd agree with you there. I guess the only thing he could do is make it a kind of "limited login", so the user can only view that page, but if they click to another private page, they have to enter a password.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.