I am developing a client website and they send out newsletters to their clients (via the website administration interface) Newsletters are personal to each of the signed recipients / clients. Each recipient / client is also a user with a username / password that allows them to register on the website and manage newsletter subscriptions and participate in the site community.
It all works like a charm. Now my client needs the "Manage my subscriptions" link in the newsletter email, which, when clicked, automatically signs the recipient / client on the website without having to remember the username and password.
This can be easily solved by creating a link as follows:
http://mysite.com/manage.aspx?user=peter&password=hounddog
Of course, the information should not be clear text, but somehow encrypted.
This, however, poses a problem since the only way to authenticate a user on a website can be provided by providing a valid username and password. In the name of security, passwords are stored as hashed values in the database, which makes it impossible to insert a password in the link.
What is the best way to accomplish this without compromising security?
source
share