0

I have a database table with 4 columns (email, token, tokenDate (DateTime), isOnline (bool))

What I am trying to do in ASP.NET MVC is have an application where the user goes to a page like this Home/Index?email=xxxxx@xxxxxxx.com and when they goto the page, they are login, now what I could do it when they goto the page is this:

  • Find the user in the database table
  • Mark isOnline to true
  • Set the tokenDate to DateTime.Now
  • Create a random token and set that as token
  • Create a web cookie with the same value as token

And when someone else (or the same person) with the same email tries to goto the page

  • Find the user in the database table
  • If isOnline is marked as true and the cookie does not exist and if it does check against the one in the database, if fails boot them out, if success, they can enter.

My question is what token would I want to create so they original user is still authenticated so if they close their browser or goto another page they can still goto the main page where they authenticated?

Abdoulie Kassama
  • 782
  • 10
  • 20
user979331
  • 11,039
  • 73
  • 223
  • 418
  • 1
    I would make sure that if someone can login via a URL that the email address is encrypted so people can't just start randomly logging in with email addresses. – Jack Marchetti Nov 15 '17 at 04:21
  • Why a application without password? Let say If someone uses my email to login and then I the original user cannot login anymore because token with same email doesn't match ? Isn't this a security issue as @Jack Marchetti mentioned ? – Shaiju T Nov 15 '17 at 04:51
  • but couldn't someone forward the URL along and then two people have the same encrypted email? – user979331 Nov 15 '17 at 04:55
  • @stom those are my instructions, I am not a fan of it either. – user979331 Nov 15 '17 at 04:56
  • 2
    Be very clear - this *isn't* authentication. It's blind trust. – Damien_The_Unbeliever Nov 15 '17 at 08:37
  • Yes, if someone has access to the encrypted email URL they can log in. But the encryption at least prevents people from randomly guessing email addresses to log in. I'd push back against whomever is asking you to do this. – Jack Marchetti Nov 17 '17 at 17:52

1 Answers1

1

User goes to a page like this Home/Index?email=xxxxx@xxxxxxx.com or User Types email in a text box

STEP 1:

  • Find the user in the database table if doesn't exist take to access denied page.
  • If exist Mark isOnline to true.
  • Set the tokenDate to. DateTime.UtcNow so that you can display later into local time of user.
  • Create a random token using GUID and set that as token in database.
  • Create a cookie to store multiple values one with the GUID value as token and another would be user email then set cookie expiry to years so doesn't expire even if user closes the browser.

Step 2:

Now when user goes to Home/SomeOtherPage or the authentication page Home/Index?email=xxxxx@xxxxxxx.com

  • Check if cookie with the name exist , if exist get the email and token values from cookie and check against the value in database , if token matches for the email then user is authenticated.

  • Edit cookie and Set another value in cookie saying if user is authenticated, So next time when user visits check the value of authenticated as this would eliminate hitting database again if user visit pages again.

Note:

It would be better if you could encrypt the email while setting it in the cookie.

Shaiju T
  • 6,201
  • 20
  • 104
  • 196