Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Authentication without username/password?

We are building a PHP multi-tenant application. Each company's account will run on their own subdomain abcorp.example.com. The application allows companies to write and publish content (faqs, etc) for their customers to read.

They will tell their customers to visit: abcorp.example.com/ to read the content. Or they will put a link to that URL in their secure web application.

However these companies may not want just anyone reading the content by going to abcorp.example.com/

So, the question I have is there any way to provide some basic authentication without getting into username and password authentication. I was thinking about some kind of hidden token added to the hyperlink or something like that

My goal:

  1. If users type abcorp.example.com/ directly in the browser, they will not be able to see the web page because they didn't authenticate or pass the token in.

  2. Avoid using username and passwords

Another option would be Referring URL Authentication

like image 234
user635800 Avatar asked Nov 14 '22 02:11

user635800


1 Answers

Of course, if someone makes the token public, it will open up access to whoever finds it.

I suppose each company could link to their page using a shared token, for example:

abccorp.example.com/?t=4rrfwr23rwads3

Each token could be stored in a file or a database.

When someone requests a page, it checks the value of $_GET['t'] with the one stored on the server. If it matches, it loads the rest of the page. Of course, this variable would have to be carried throughout the site, and included in every link.

Again, this will not be very secure. An exposed token could give access to the site to the entire world.

like image 131
djdy Avatar answered Dec 23 '22 19:12

djdy