Temporary login code system

[Alexander Obuhovich]

In-Portal already uses temporary access codes, e.g. for:

• forgot password
• e-mail activation

Problem with current implementation is that only 1 temporary access code can exists for 1 user. This way if user receives 2 e-mail with temporary code in each of them, then link in first e-mail will be broken by default.

I'm suggesting to create TemporaryLoginCodes table in database with following structure:

• CodeId
• CodeHash
• UserId
• GeneratedOn
• ExpiresOn

Then we add ?temp_code=xxxxxxxxxxxx parameter to url of all links, that require user to be logged-in in each e-mail In-Portal sends to user. When In-Portal sees temporary code in url it automatically logges-in user associated with that code. Then normal url processing occurs.

In case if temporary code is no longer valid, then user got redirected no no permission page.

--
Best Regards,

http://www.in-portal.com
http://www.alex-time.com

[Phil]

+1 ! really nice and powerful idea

Envoyé avec Sparrow

[Alexander Obuhovich]

Phil, have you seen something like this on other websites and if so, then it works there?

[Phil]

well, I saw this on many websites, I'll try to find a relevant example as soon as I'll get one in my email :)

Envoyé avec Sparrow

[Alexander Obuhovich]

Saw an interesting example on Google. When you got redirected to "No Permission" page, then:

• if you're already logged-in a "Sign out and sign in as a different user" link appears, that once clicked will do logout and redirect user to login page keeping original url user was trying to reach as "continue" url parameter
• if you're not logged-in then show login form right on "No Permission" page

[Phil]

yup, the process I was describing yesterday evening in chat :) However, Google do something more: if you have another user cookie, he detect it and offer to login using this user :)

but i dun need a so complicated thing now.

Envoyé avec Sparrow

[Alexander Obuhovich]

Exactly, I've just collected more details on this subject and posted them here.

What you describe is In-Portal's "Remember Username" functionality (of admin console, no analogs on front-end), when username of user, who made last login is displayed by default on login form and you only need to type in password.

I think, that remember username functionality would help front-end users too, but then we'll have 2 checkboxes on login form:

• Remember Username (just remembers username on login form)
• Remember Login (keeps user logged-in for 1 month)

[Dmitry A.]

Usually there is only 1 of 2 check-boxes should be on the Login Form - it does not make sense to have both.

1. When website does not contain any highly sensitive data (ie. NOT a Bank or something else of that type) they allow to to use Remember Me (username + password) so it autologged in user)

2. When it's more secure website they only use Remember Username so you don't have it to type twice.

In none cases they show both.

DA

[Phil]

Hi guys,

ok, but we are not talking anymore about the topic: temporary code, to let users click a link received by email, and be logged without any further actions.

p

Envoyé avec Sparrow

[Alexander Obuhovich]

We're sort of talking about it, since improvements to login system could lead to no need for temporary login system.

Anyway suggestion, when "no_permission.tpl" template is changed should cover the need of a temporary login system.

[Alexander Obuhovich]

Seems to be an interesting topic, but are kind of lost between all ideas here. Let me summarize:

1. Create user token system, that would allow to generate infinite number of tokens per each user, that can be used to securely identify that user later on. This can be widely used when creating a links to protected pages (e.g. my account pages), where user must confirm his identity before being able to view that page.

This token system would replace all token-alike code, that we have right now:

• password change link in forgot password e-mail
• verify e-mail link in user registration (active) notification e-mail
• verify e-mail link in user e-mail change notification e-mail
  
• user registration approval link in user registration (pending) notification e-mail
• old e-mail restore link in e-mail change notification e-mail

Additionally it would allow us to create a login-token, that would instantly login user to website (no need to type password or perform a redirect to login page) when included in that page link.

Initial version of this functionality was already implemented in "#35976 - User Auto-Login on Front-end" task (In-Business) and needs to be ported to upcoming feature release.

2. When user isn't logged-in OR doesn't have a permission to do something redirect to united "no permission/login" page, where:

• if you're already logged-in a "Sign out and sign in as a different user" link appears, that once clicked will do logout and redirect user to login page keeping original url user was trying to reach as "continue" url parameter
• if you're not logged-in then show login form right on "No Permission" page

This way if user doesn't have permission for an operation, then he can transparently re-login using different credentials.

3. "Remember username" functionality improvements.

We have 2 ways of remembering last user information on website (via cookies):

1. "keep me logged-in" - will re-create user session on next visit (in case if it already expires), so user would think he is infinitely logged-in
2. "remember username" - would remember last used username in cookie, but won't re-create expired user session.

Currently we use "keep me logged-in" on Front-End (called "Remember me" there) and "remember username" in Admin Console.

Maybe, as Dmitry advised, we should have a setting, that would:

• allow setting what type of remembering should be used on Front-End and in Admin Console separately
• have ability to set exact duration (instead of "1 month" hardcoded) for which "keep me logged-in" functionality would remember user presence on website