Hi,
there are many situations where you might want to send users a link via Email to a web page. However, "infrequent users" usually forget about their password on an OpenACS site.
So I think that it would be very convenient to be able to send users a link with an auto-login code:
- The "auto-login" code should have a variable validity time, from a few minutes to a few weeks.
- It would be cool if there wouldn't be any modifications to existing pages
- The "auto-login" code should be easily generated and maybe integrated into the "acs-mail-lite" module or similar mass-mailing modules.
We're currently thinking about the following implementation options with slight tendency towards the first one:
- Modify the "register" page: This page could inspect the "return_url" field for an "auto-login" variable and skip the usual authentication process if the code is correct. Pros: convenient, transparent. Cons: Modify an OpenACS core page.
- Setup a "redirect" page somewhere that takes a "redirect_url" and a "autologin" code. Pros: No changes in OpenACS core code. Cons: A bit more ugly to the email user.
Here are the (some) requirements about the encoding of the "auto-login" variable:
- The encoding should be cryptographically reasonably hard.
- We need to include the user_id information, obviously.
- We need to encode the timing information. This time information must be relative to the server's time (in case it's clock is not very well synchronized).
- Maybe we could reduce the "cryptographic hardness" by limiting multiple login-attempts from the same IP address and/or by a delay time.
Does somebody of you have had experience with this subject or done something similar? We're wondering in particular about the crytographic part for a "correct" implementation.
Bests,
Frank
mailto:frank_dot_bergmann_at_project_dash_open_dot_com
http://www.project-open.com/
http://www.project-open.org/
