All geek questions in one place

Authentication without username / password?

We are creating a multi-user PHP application. Each company account will operate on its own subdomain abcorp.example.com. The application allows companies to write and publish content (faqs, etc.) for reading their customers.

They will tell their customers: abcorp.example.com/read the content. Or they put a link to this URL in their secure web application.

However, these companies may not want anyone to read the content by going to abcorp.example.com/

So the question I have is any way to provide some basic authentication without going into authentication of username and password. I was thinking of some kind of hidden token added to the hyperlink or something like that

My goal:

  • If users type abcorp.example.com/ directly in the browser, they will not be able to see the web page because they did not authenticate or miss the token.

  • Avoid Username and Password

Another option would be a URL authentication link

+4
source share
5 answers

You can use basic hashing, by means of which a shared secret password or โ€œkeyโ€ is stored in your system and each company system (another key for each company is not published publicly), and then you enter the secret password with a subdomain into the link and enable the digest as parameter. Then you test it by running the same algorithm on your side and compare with the digest.

the link might look something like this:

abc.example.com/?d=b5939ca22f5dcf345b4000641995478c5910dbd1607b1bdadcbf4a8618a95211

where is the digest:

$d = hash('sha256', $secret_password.$subdomain);

or including referent:

$d = hash('sha256', ($secret_password.$subdomain.$_SERVER['HTTP_REFERER']));

The obstacle to overcome is to make sure that each company can support the correct generation of these links based on the specific key / algorithm of the company - and that this is different for each company, so one company cannot create links for another.

This is better than a lack of authentication, or a publicly shared token that has not been verified at all, but I'm sure it still has vulnerabilities.

-2
source

Of course, if someone makes a public token, he will open access to whoever finds him.

I believe that each company can link to its page using a common token, for example:

abccorp.example.com/?t=4rrfwr23rwads3

Each token can be stored in a file or database.

When someone requests a page, he checks the value of $ _GET ['t'] on what is stored on the server. If it matches, it loads the rest of the page. Of course, this variable would need to be transferred across the site and included in each link.

Again, this will not be very safe. An open token can provide access to the whole world.

+1
source

Your idea of โ€‹โ€‹a "hidden marker" is essential for sessions . A session can be used to identify the user (i.e., Track what the user does when viewing the site) and > it is common to transmit the session identifier in links or store it in a cookie.

However , using a session without any other authentication is inherently unsafe! When you disclose a way to authenticate and track users to the user himself, the user can change or fake his authentication. For example, the user can change the value passed for the session identifier, or change the value stored in the cookie.

Read the section on PHP sessions and security .

+1
source

You can also use the IP address of clients as a token by providing different IP addresses to different (parts / instances) of the system. But winning is not very safe, because (1) you have no way to find out who is behind the client PC, and (2) IP addresses can be faked. Perhaps you could develop additional specifications; giving IP addresses only access during working hours or checking the client browser (user agent) and checking it for the user agent officially used on the client.

0
source

Client side certification. Check out http://en.wikipedia.org/wiki/Mutual_authentication .

0
source

Source: https://habr.com/ru/post/1341458/

More articles:


All Articles