Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

password-less login system

Tags:

php

What is the best approach for creating a password-less login system?

I'm thinking to use some sort of randomly generated 16 character token, for example:

mysite/members/index.php?token=2j0n1qyjgcxyu3oy

I'm developing a quotation system and the idea is that the suppliers don't have to register, instead I create their account for them and all they have to do is click the link in their email in order to submit a quote. This will encourage suppliers to submit a quote, as they'll know they don't need to register or log in.

There isn't much harm that someone could do should they happen to guess the token, but I'd still like to make the system as secure as I can without requiring a password.

like image 789
MAX POWER Avatar asked Aug 02 '10 18:08

MAX POWER

3 Answers

A token would be fine, I would use an MD5 or SHA1 hash for it.

But so you are aware, which it seems you are, this can be sniffed by packet sniffers, especially through email, so just know that. But if that is not an issue, I do not see a problem with using a token for a supplier. If it does get sniffed or abused, simply re-generate a new token for them.

Hope that helps.

like image 121
Jim Avatar answered Oct 21 '22 11:10

Jim

That's a pretty common approach. The trick is to make sure the token is unique. I have used a GUID value in the past.

It all boils down to what is the risk vs the reward.

What is the risk that someone else could use that token to access your system. Since it's being sent via clear-text email the risk is probably moderate. (An attacker would have to be listening on their network or between you and their email host. Still not easy).

What's the reward. The attacker could submit a quote in the company's name. How bad is that? That is up to you.

Another risk I could see is if a company submits a quote and then later decides they don't want to honor it. They could just say they didn't submit it. Someone else must have done so in their name. Again, likelihood of this is probably not very high and could be dealt with in other ways.

like image 28
Zippit Avatar answered Oct 21 '22 12:10

Zippit

Well wouldn't your token be like a password a little bit? You could also redirect them to a special site, where they have to click a button spezified in the mail, to verify their identidy( or let them enter a pin from the mail), so you can be sure not to send all critical data per GET but per POST(important in a public place)

Hope I could help

like image 1
Tokk Avatar answered Oct 21 '22 13:10

Tokk
Sign in to Comment

Related questions

Laravel: Cannot declare class App\Models\Customer, because the name is already in use
Setting a custom place holder image in twig/timber theme
Prevent PHP DOMDocument from removing @click attributes
Arithmetic with Arbitrarily Large Integers in PHP
Upload progress using pure PHP/AJAX?
Transactions in wordpress database
php user authentication libraries / frameworks ... what are the options? [closed]
Can't return a result set in the given context
Creating and updating Zend_Search_Lucene indexes
Mysqli Prepared Statement in bindParam() not working
PHP $_POST variables are sometimes empty
Encode HTML entities but ignore HTML tags - in PHP
SPSS and PHP/MySQL Integration
What is the best way to assert redirections in Selenium?
How efficient is PHP's substr?
PHP : apc_store doesn't work as intended
Do you need a good background in OOP before moving to frameworks?
Can I expose MySQL data using PHP and OData?
Run inkscape in PHP
PHP curl - posting asp.net viewstate value

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!