Forum: Ruby on Rails login from token

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Af9a9013100ddf2dbb0ca13487b60f8b?d=identicon&s=25 Ivor Paul (ivor)
on 2008-10-15 14:48
(Received via mailing list)
Hi

I have users sending messages to other users with links in the email.

If the users click on the links in the email they go to the message in
the
app, but invariably they arent logged in and have to do so before
getting to
the page they want to go to.

I want to build a login_from_token functionality that would add a token
for
the user who receives the email so that the link will go directly to the
page, and in the process log them in.

My question: How safe is this? Are their issues with this approach in
terms
of privacy?

The email is supposed to be personal email accounts so in principle the
link
would be as safe as the email account?

I would appreciate your thoughts.

Regards
Ivor
D6434aa0b7b350f8c3ed0119d81b2ead?d=identicon&s=25 Roy Pardee (rpardee)
on 2008-10-15 18:45
(Received via mailing list)
If you want navigation to a URL to actually log a specific person in,
the tokens will have to be person-specific, won't they?  What do you
imagine the mechanics would be for getting a sending user to generate
one of those URLs?  Are you trading recipient-convenience for
sender-inconvenience?

Would setting this up allow potential-senders to impersonate anyone by
generating and then navigating to one of these URLs?

As an alternative, consider setting a long-lived cookie when a user logs
in, and check for its presence as part of your authentication routine
(e.g., if cookie exists, assume they are legit & pass them on to the
destination page).  That should cut down on the number of logins.

________________________________
From: rubyonrails-talk@googlegroups.com
[mailto:rubyonrails-talk@googlegroups.com] On Behalf Of Ivor Paul
Sent: Wednesday, October 15, 2008 5:36 AM
To: rubyonrails-talk@googlegroups.com
Subject: [Rails] login from token

Hi

I have users sending messages to other users with links in the email.

If the users click on the links in the email they go to the message in
the app, but invariably they arent logged in and have to do so before
getting to the page they want to go to.

I want to build a login_from_token functionality that would add a token
for the user who receives the email so that the link will go directly to
the page, and in the process log them in.

My question: How safe is this? Are their issues with this approach in
terms of privacy?

The email is supposed to be personal email accounts so in principle the
link would be as safe as the email account?

I would appreciate your thoughts.

Regards
Ivor
2d8132658d56e51f19ace1c68e48b6aa?d=identicon&s=25 Thorsten Mueller (thorsten)
on 2008-10-15 19:46
(Received via mailing list)
I would simply store the request uri in the session,
redirect the user to the login page and after successful
login redirect him to the requested page.
E64d436cb6ecdfe7be5b350776f58c90?d=identicon&s=25 Chris Bartlett (Guest)
on 2008-10-16 11:28
(Received via mailing list)
I agree with Thorsten and suggest you look at the Restful
Authentication plugin to see how to implement this.
Af9a9013100ddf2dbb0ca13487b60f8b?d=identicon&s=25 Ivor Paul (ivor)
on 2008-10-16 13:20
(Received via mailing list)
Thanks for the response.

I am using restful_authentication and have the login required process as
Thorsten described.

What I wanted to do is allow a user to send a message to another user.
In
the mailer I want to call a method to append a token to that url that is
specific to the user who will receive the email. When the user follows
the
link, i do a login_from_token and delete the token. Thus the token is a
one
time auto-login for a specific user with no extra effort for the user
sending the message and allowing the user following the link to skip the
login page.

I am going with the remember-me cookie method, but I am still curious if
there is a problem with what I want to do. I'm assuming private email is
a
secure way of sending the receiving user a link that would allow them
auto-login. I dont use remember me cookies - i grew up in a family where
we
shared a pc so I just never got in the habbit and login in everywhere
just
seems a PITA. My email is pasword protected so it should be enough proof
that I am who I am. The fact that the token only works once would also
minimize the risk that a user sends the link to someone else allowing
them
to access their account.

I dont want to waste anyone's time. I am going with remember me, but if
someone is interested from an academic perspective I would enjoy their
input.

Thanks for the feedback.

Ivor

On Thu, Oct 16, 2008 at 11:27 AM, Chris Bartlett
<c.bartlett@paradise.net.nz
This topic is locked and can not be replied to.