security - Auto Login from email link and PHP? -
i'm trying create link when clicked login user automatically , take them specific page.
i've thought creating sort of hashed string contains user's id, username , few other pieces of info. when clicked these pieces of information looked in db , if validated login them in , redirect them specific page.
for sites twitter , facebook when receive email notification , click link in email i'm automatically taken inbox on corresponding site. i'm trying duplicate behavior...
are there security issues doing or there safer more preferred way?
if want offer feature users, have take care of 2 things:
- the validity of created url must set in time (ex: 24hours, 48hours).
- the created url must work 1 specific user.
- (optionnal) created url work 1 page
i propose kind of solution create url match these criteria (it's proof of concept):
<?php $privatekey = 'somethingverysecret'; $username = 'cedric'; $url = 'my/personal/url'; $timelimit = new datetime('tomorow'); function createtoken($privatekey, $url, $username, $timelimit){ return hash('sha256', $privatekey.$url.$username.$timelimit); } function createurl($privatekey, $url, $username, $timelimit){ $hash = createtoken($privatekey, $url, $username, $timelimit->gettimestamp()); $autologinurl = http_build_query(array( 'name' => $username, 'timelimit' => $timelimit, 'token' => $hash )); return $url.'?'.$autologinurl; } function checkurl($privatekey){ if((int)$_get['timelimit'] > time() ){ return false; } //check user credentials (he exists, have right on page) $hash = createtoken($privatekey, $_server['php_self'], $_get['name'], $_get['timelimit']); return ($_get['token'] == $hash); }
Comments
Post a Comment