capsuline
(Robinkouwen)
1
Hello All,
I was just wondering about the security concern by enabling Login by passing parameters into the controller.
Or is there another way to realize this?
I want people to be able to login by clicking a link they get from their emails
Example link:
http://example.com?index.php?r=site/login&username=xxxxx&password=xxxxx
public function actionLogin($username, $password)
{
$model=new LoginForm;
if (isset($username) && isset($password))
{
$model->username = $username;
$model->password = $password;
if ($model->login()) {
$this->redirect(array('index'));
}
}
Keith
(Kburton)
2
Never put login credentials into a URL. Why do you need them to be able to log in automatically?
First of all, think twice before doing it.
As Keith has already said, passing login credentials via GET is totally insecure.
But you can provide one-time link to do the job:
Add a special field to user table, for example, login_hash.
Create and store some random string to login_hash right before sending email to user.
So the link would be something like r=site/autologin&login=xxxx&login_hash=xxxxxxxxxxxxxx
In your autologin action: find user by login and login_hash, and log him in.
Erase(!!) login_hash for this user.
Should work.
capsuline
(Robinkouwen)
4
Thanks @Keith,
I’m looking for a solution to let people easily login and submit some information.
Its unbelievable but true that till this age lots of people still can not use the login form.
capsuline
(Robinkouwen)
5
Thanks ORey,
Probably this will be a better solution to my problem.
Let me try to realize this. Thanks
