View Full Version : Hyperlinks to secure sites.
Hi all
please see the below excerpt from the minutes of a meeting we had today regarding an on-line flight booking service we are piloting in my department.
Neil asked if a web-page link could be added to the prompt email sent to authorisers, which would take them to the booking(s) that required their authorisation; negating the need for them to log-in and navigate the system themselves.
Beverly responded that this would bypass security checks.
My question is, is the response I got accurate? Well, I know it's accurate, I want them to bypass the security checks, but would it pose a risk?
I ask because, this site generates emails informing you of responses to conversations you are involved in or started. The hyperlinks in the emails bypass the log-in process for the site, and I'm sure there are other 'secure' sites that do the same.
Any advice would be gratefully received.
Cheers
N
You mean the link automagically takes them to their secure section of the site? Depends how you do it, if you do like these boards for example, and store a cookie, then when they click a link in an email to this site, it reads the cookie, checks the auth, and if they are not authed (logged in with a session saved in the cookie) then it sends them to the login page, or if they are, then straight to the page they were linked to.
Joel
Originally posted by Joelc
You mean the link automagically takes them to their secure section of the site? Depends how you do it, if you do like these boards for example, and store a cookie, then when they click a link in an email to this site, it reads the cookie, checks the auth, and if they are not authed (logged in with a session saved in the cookie) then it sends them to the login page, or if they are, then straight to the page they were linked to.
Joel
Thanks for the response.
And this is with no 'risk' to the account?
Could this be corrupted at all, by a hacker for example?
N
Anything can be spoofed.
It's just a matter of whether it is worthwhile anyone spoofing it, and the nature of the data that people are going to.
If people are authorising real money then your audit department might want a proper verification, rather than something based on cookies.
Certainly don't think of anything that puts the credentials in the link in the e-mail!! :)
Joe
Originally posted by JoePritchard
Certainly don't think of anything that puts the credentials in the link in the e-mail!! :)
Joe
Eeek - Jargon!
Not sure what you mean baout the 'credentials' ?
:confused:
N
Its really always wise to have the extra step of people putting in their passwords oncebefore doing any form of transactions with sensitive information, using https of course, just in case.
Joel
Originally posted by liencam
Eeek - Jargon!
Not sure what you mean baout the 'credentials' ?
:confused:
N
Something along the lines of:
h77p://www.domain.ext/loginpage.scr?username=USERSNAME&password=USERSPASSWORD
which can easily be "sniffed" and/or guessed.
BTW: replace the 77 with TT;).
Email is plain text and can be stored in so many places along the route from A to B. Your isp can read your email. You *HAVE* to make users provide some form of authentication via https if account security is important (i.e. if it involves money or you just really care).
There needs to be a mechanism that the user can identify themselves, you then need to check if their account still exists, and their permissions for the requested operation is allowed.
In short its a really bad idea, the login system should allow automatic logging on (via cookies) and the links in the email should not give any login details at all.
I'm not sure a login system should support automatic login - look at what banks do.
Everytime I use internet banking I have to sign in again.
I'd probably want to play it VERY safe.
Credentials are basically the thingsyou use to log in. Typically something you have and something you know - a name or ID and a password or key phrase.
For my Internet banking, for example, I log in with a user id, a password and then have to select letters from a key phrase.
Not impenetrable but more than enough hassle for most people to not wnat to try it on.
If you have a 'cookies' based system and the user leaves their PC logged in (and it will happen) then it's not problem at all for someone to use that person's browser to impersonate the owner of the PC.
Joe
Originally posted by JoePritchard
I'm not sure a login system should support automatic login - look at what banks do.
Everytime I use internet banking I have to sign in again.
Yes we are talking about degrees of security - Banking has to be the most secure thing on the web and automatic logging in is a bad idea,
However an online forum with data backup does not have to be that worried (this site has automatic logon).
ToryCynic 18-06-2005, 13:02 Originally posted by JoePritchard
I'm not sure a login system should support automatic login - look at what banks do.
Everytime I use internet banking I have to sign in again.
I'd probably want to play it VERY safe.
Credentials are basically the thingsyou use to log in. Typically something you have and something you know - a name or ID and a password or key phrase.
For my Internet banking, for example, I log in with a user id, a password and then have to select letters from a key phrase.
Not impenetrable but more than enough hassle for most people to not wnat to try it on.
If you have a 'cookies' based system and the user leaves their PC logged in (and it will happen) then it's not problem at all for someone to use that person's browser to impersonate the owner of the PC.
Joe
I have found that if the user is logged onto a secure site, they leave it, and then return, it'll say "Time period expired, or something similar".
Examples of these are: Wanadoo (e-Mail), TSB and Amazon (on the ordering page).
:)
This is done with sessions.
With PHP a user is given a session id which is stored in a cookie or passed around in the location bar (the GET string) or when a form post is made. The session is stored as a file and contains variables that are linked to that session, things like username and passwords and permissions. These files have an expiry time, and that is set usually on a site by site basis, the file is then deleted. Usually when someone then visits that site with a certain session id which does not correspond to a file on the server then the programmer will have provided you with a session expired message.
Pete1024 18-06-2005, 19:59 Yes it does pose a risk as common POP3 e-mail on port 110 is sent 'in the clear' ie. not encrypted and accessable by anyone!
Secure e-mail is available but not commonly used by your average customer.
You could use a security certificate on the users computer, that is installed when they register, you could then send the confirmation interacting with the certificate for confirmation.
Also you could use IP address related security, so the user has to register their IP address with you and a confirmation is only accepted from registered IP's, most people have static ones, if the IP is not registered it asks for a username and password?
most people actually have dynamic IP addresses. Many ISPs do not give you the option of fixed ip.
Thanks for all your help guys
N
|
|