I had a link http://uuuu.com/index.jsp?username=user&password=pass . If the user clicks on the link it should be automatically login to the website with reading the username and password from that url. So the user no need to fill the username field and password field to view the site. Is the url format is correct?if not what is the proper format to do it?
3
-
2are you sure you want to pass the password in url? using get request ?Prasad Kharkar– Prasad Kharkar2014-01-29 09:25:12 +00:00Commented Jan 29, 2014 at 9:25
-
Don't miss this outstanding Community Wiki article: The definitive guide to form based website authenticationAndrea Ligios– Andrea Ligios2014-01-29 10:58:02 +00:00Commented Jan 29, 2014 at 10:58
-
possible duplicate of How to automatically login to the website using hyperlink?Andrea Ligios– Andrea Ligios2014-01-29 10:58:29 +00:00Commented Jan 29, 2014 at 10:58
Add a comment
|
5 Answers
I think the format you need is
http://username:[email protected]
I would still say that this approach is not recommended. You should not pass username and password through URL!
4 Comments
Aravindh RS
if there is any other way 2 do this?
Rohan
I dont think so. You could use the URL but thats not good due to security issues. Using the login form is your best bet and is certainly more secure than URL.
Aravindh RS
i have sent an link to my website through email.if the user click the link it should automatically logins to the site
Rohan
If thats the case then why not try the solution i gave you? If you are asking me for an alternative solution then, As far as i know, there is no other secure way of achieving this.
Using the actual username and password in the URL is a non feasible solution as it risks security for users as the URL will get stored in browser history or get leaked. What you should be instead doing is generating a time-boxed token for each user and add that to the URL.
Example:
www.mywebsite.com/auth?token=bigtokengoeshere
Using the token value bigtokengoeshere on your server, you can authenticate the user.
Now to generate a time-boxed auth token, use JWT. You will find implementation of this in most programming languages. The power of JWT is that you can set expiry_time for a token which means your auth URL is only valid for next X minutes.
Comments
Nobody can comment on whether the URL format is correct or not without knowing the internals of the authentication implementation on the server. One thing is sure - it is a bad idea from security view because parameters appended to the URL are not secure.
2 Comments
Aravindh RS
my requirement is I need to automatically login to the website with hyperlink.So what to do?
DanielBarbarian
@AravindhRS what RaviH is saying is that we can not provide you with a solution unless you provide more details about the environment and implementation where this application is running. Once you have provided those details in your question we MAY be able to help you further.
If you are using j_security try this
http://uuuu.com/index.jsp/j_security_check?j_username=username&j_password=password
Comments
If you have the username and password then i would suggest to use html form tag. See here.
But note if you have applied Anti-forgery token to prevent CSRF attack then it may also not work.
