security - Auto Login from email link and PHP? -

-

i'm trying create link when clicked login user automatically , take them specific page.

i've thought creating sort of hashed string contains user's id, username , few other pieces of info. when clicked these pieces of information looked in db , if validated login them in , redirect them specific page.

for sites twitter , facebook when receive email notification , click link in email i'm automatically taken inbox on corresponding site. i'm trying duplicate behavior...

are there security issues doing or there safer more preferred way?

if want offer feature users, have take care of 2 things:

  • the validity of created url must set in time (ex: 24hours, 48hours).
  • the created url must work 1 specific user.
  • (optionnal) created url work 1 page

i propose kind of solution create url match these criteria (it's proof of concept):

<?php  $privatekey = 'somethingverysecret'; $username = 'cedric'; $url = 'my/personal/url'; $timelimit = new datetime('tomorow');   function createtoken($privatekey, $url, $username, $timelimit){     return hash('sha256', $privatekey.$url.$username.$timelimit); }  function createurl($privatekey, $url, $username, $timelimit){      $hash = createtoken($privatekey, $url, $username, $timelimit->gettimestamp());      $autologinurl = http_build_query(array(         'name' => $username,         'timelimit' => $timelimit,         'token' => $hash     ));     return $url.'?'.$autologinurl; }  function checkurl($privatekey){       if((int)$_get['timelimit'] > time() ){         return false;     }      //check user credentials (he exists, have right on page)      $hash = createtoken($privatekey, $_server['php_self'], $_get['name'], $_get['timelimit']);      return ($_get['token'] == $hash); }

Comments

Post a Comment

Popular posts from this blog

html5 - What is breaking my page when printing? -

-
Image
i have questioner , don't know why when printing it's creating break before first question. live demo (link) i able resolve issue removing fieldset container had wrapped in.. having fieldset element causing of fields grouped together, , since not fit on first page, being pushed second page. removing fieldset element, able firefox print first 2 questions on page 1 identically chrome. it seems not new problem firefox , fieldset not playing nice found old bugzilla ticket 2008 has persisted , still being commented on in 2014 (link) if retaining fieldset important, found solution else came here (link) <script type='text/javascript'> $(window).bind('beforeprint', function(){ $('fieldset').each( function(item) { $(this).replacewith($('<div class="fieldset">' + this.innerhtml + '</div>')); } ) }); $(window).bind(
Read more

html - Unable to style the color of bullets in a list -

-
i'm trying change colour of list points it's not working? <div class="mobile-menu" id="mobile-menu"> <div id="mobile-menu-links"> <h4>general:</h4> <ul class="mobile-menu-links"> <li><a href="">news</a></li> <li><a href="">the boring rules!</a></li> <li><a href="">the rankings</a></li> </ul> .mobile-menu #mobile-menu-links ul{ list-style-type: none; margin:0; padding-left:3%; } .mobile-menu #mobile-menu-links ul li{ padding-bottom:2px; border-bottom:1px solid #bababa; } if add color:red in either of 2 css declarations, doesn't change colour. please note html closed in document, copi
Read more

c# - must be a non-abstract type with a public parameterless constructor in redis -

-
when save object, got below error must non-abstract type public parameterless constructor in order use parameter 't' in generic type or method 'servicestack.redis.redisclient.store<t>(t) redisclass.getinstnace().store(msg); // error here redisclass.getinstnace().save(); as third party's class, can not edit how save object? could create wrapper around third party object call constructor, store wrapper? e.g. public class mywrapper { public thirdpartyobject thirdpartyinstance { get; set; } public mywrapper() { thirdpartyinstance = new thirdpartyobject("constructors"); } }
Read more