By the time someone else sees the token, over the network, it's already been invalidated. Security? When you enable auto-login, if a user forwards a community email to someone else using their email service provider's "Forward" feature, the original recipient's user credentials are embedded in the forwarded Just write in your email address, they send you over an email, click a link in the email and you're in. http://todayspec.com/auto-login/auto-logon-to-isp-from-startup-or-logon.php
To have an automatic login at an email account (or any other web service), first ensure that the chosen browser program can accept cookies and store passwords. Alternating Power Fibonacci Sequence "as rich as him", "as rich as he" or "as rich as he is" "Red Hot" Objects & the Ultraviolet Catastrophe Why do universities require international students It's a sharing competition to sign up, with a prize at the end. Amazon identifies me easily, but if I do anything that feels like I need my password, it asks for it.
My poor old p3 personal page box just about imploded when @newsycombinator tweeted this... underwater 2059 days ago A good idea for some situations. People routinely forward emails to their friends and colleagues, or copy links and post them on twitter.It's obvious that a password reset link should not be forwarded, but a monthly newsletter? Weigh in - do you think the benefits of auto-login outweighs the risks?
I used two separate values (key & secret) for the url just for added security (prevent fusking).Now because of the nature of the site (video lessons), security isn't a huge concern, The code has been made in accord with Drupal standards. The way the Higher Logic platform works, if we have enabled SSO with your main site login, and that login has a 'Remember Me' feature with a persistent cookie that lives Lea writes also about the pros, which should be also considered and in the comments section very good ideas appear on how this just depends on context and with a few
Subscribe to the blog by email Subscribe to the blog by RSS Higher Logic Blog Feed Search the blog Search Recent posts Four Community Newsletters You Need to Subscribe To LEGO: Auto Login Security Token Scalable The magic of this approach is we are just piggybacking off of the technology in the various key/value stores out there. Download The Community Roundtable's The State of Community Management Report for some great findings. Many people have no clue what they leave behind, especially on public computers and networks.
E.g. Because the session cookie would be encoded into the URL, upon accessing said URL, the session would be destroyed and a new session created. Can lack of planning railroad players? Especially when a community is migrating from a listserv to an online community software platform, auto-login can greatly ease the transition from old to new.
share|improve this answer answered Aug 20 '13 at 20:49 Kevin Panko 6,13283351 add a comment| up vote 3 down vote Many websites let users recover their passwords through email verification. Servlet Tutorial: Getting Starting with JSP - Servlet Example Limit Login Attempts: Absolutely MUST Have WordPress Plugin Top 5 WordPress Login Page Tweaks Java Cookies: How to do Java Servlet Session Login Via Email Link But for your particular needs you might want to use redis or Amazon DynamoDB or postgres or another one depending on your website's architecture. Auto Login Links Okcupid Since the token has a limited lifespan, the cache and log arguments don't really apply. –Tom Anderson Jan 11 '11 at 18:09 add a comment| up vote 0 down vote Given
Not as often as with a non-expiring token, but there are plenty of people who will leave a browser tab up for days at a time, keeping the session alive.The convenience weblink Join over 14 million monthly readers... and it feels really natural. Hacker News new | comments | show | ask | jobs | submit login If you develop web apps, don't do this. (datavibe.net) 239 points by sneak 2059 days ago |
There are so many good options for a key/value store you really can't go wrong, but I'll single out memcached for absolute simplicity. The process would be something as follows: Before sending the reminder email to John Doe, generate a random number token (a large enough number to prevent guessing) that expires after a Cannot INSERT Into Newly Created Column What is the significance of Kat's despising of Hemingway? navigate here Additionally, a reasonable extension of this simple approach would be a multi-tiered login level, in which somebody who logged in via email doesn't have access to certain sensitive account settings (changing
However, the difference there is that you will know if someone has changed your Foursquare password and the token used to allow for a password change can be expired immediately after Make companies apply to you with in-depth job info up front.Sign Up at Hired.com/signupAnswer Wiki1 Answer Alistair Israel, I build software stuffWritten 187w agoIn your case, using one key versus two Isn't it a bit too risky to have dozens of such powerful emails floating around in your inbox?
Lack of substantial benefit for the added complexity? See, the token sent through email is something the user 'knows'—however, as you've correctly observed it is possible for someone else to be able gain access to the user's email account I love SEO, SaaS, #webperf, WordPress, Java. When you're a dating website, engagement trumps security in many cases.
For example, if my email was linking to http://www.danbirken.com/, my app will change that link to http://www.danbirken.com/?email_login_code=abcdefg. When Drupal sends an email to a registered user, this module changes the email so that the user is logged in automatically when they click any of the links in the Please chime in and share it as a comment. his comment is here Do note however, that the weakest link is the ability for someone to hack your customer's Email (which is usually synced across multiple devices), so this is not sufficient security for
Are you serious?Those of us that live in the Real World send our regards. drdaeman 2059 days ago Unless your general audience are hackers.For example, Canonical's Launchpad requires you to set an expiration time on the links Certainly a good idea. david on January 5th, 2017 12:03 pm looks ok up to the point where I enter user id and password. Ensure the "User names and passwords on forms" is checked and click "OK" [Slide 3].
I mean, after all, this is tracking outside of our website. JoachimSchipper 2059 days ago Lots of people "log out" by letting their session expire; this would merely get them The steps below will remove the pain of logging in at Hotmail email account each time. And why?What's the best way to create a competition via email to subscribers.