By Wouter Van den Bosch on

Hi,

I was wondering if someone form the community already has experience with logging in users via a couple of parameters in the url. (I didn't quite find what I was looking for yet by searching around here.)

The case is that we have a partner who regularly sends out mailings to online content. He would like to start using our drupal platform to put his content on and allow the people in his mailings to comment on the content. We would make a role or even 1 account (mailing-visitor or whatever) for these people (we don't allow anonymous comments). To make sure these people login to Drupal straight away, we would need some kind of URL login going straight to a certain node.

Can someone around here get me started with how best to proceed with this ? Maybe someone has a module lying around already doing exactly this ? Or maybe I didn't look in the right place and I deserve to be publicly flogged with various unpleasant flogging tools.

Cheers,
Wouter

Categories: Drupal 4.7.x

Comments

geodaniel’s picture

geodaniel commented

I like the idea of one time logins by URL parameter, as long as they only work once, otherwise it's a potential security issue. The core user registration/password reset system does something very similar. Have you checked out the User access/authentication modules to see if there's anything in there that suits?

eli’s picture

eli commented

FierceSSO, my single sign-on module, uses a technique to log on via url parameters. It uses images, but you might be able to adopt it for your needs.

dman’s picture

dman commented

It's security suicide, and a cheap hack that may have other side effects, but...

I've done this for a demo site to auto-login some links to demonstrate what pages look like to differently authenticated user roles. Without logging in and out a dozen times.

At the top of your index.php, put

// BAD THING TO DO
// Allow GET URLs to submit where the system is expecting a POST.
$_POST = $_REQUEST;

Then your login link can be:

http://Your.site/node?name=yourname&pass=yourpass&form_id=user_login_block&op=Log%20in&destination=admin

(you can change destination to anything you want)

Among other things, your password is now exposed in plaintext in your browser history, your ISPs proxy logs, and the remote sites access log.

This is dangerous

Not that normal session logins can't already be snooped by anyone with access to any of those machines if they wanted, but it's now a lot easier to find this info by accident. It may even end up in log reports and things and go public.

Seeing as you've already considered that these credentials will be for a throw-away account, It'll probably be fine for you. Other side effects ... well, I dunno.

.dan.
How to troubleshoot Drupal | http://www.coders.co.nz/

.dan. is the New Zealand Drupal Developer working on Government Web Standards

robrepp’s picture

robrepp commented

Your solution works perfectly, thanks, dman.

eli’s picture

eli commented

You should be really careful using that piece of code. URLs aren't supposed to include private data and they have a nasty habit of leaking out onto the web...

Stuffing variables into $_POST may also defeat other security features elsewhere in Drupal

andrewfn’s picture

andrewfn commented

Did you manage to solve this problem, if so, I would be interested in how you did it.
I am thinking of using the securesite module, but I don't like the idea of having to put the password in the URL.

Jeff Burnz’s picture

Jeff Burnz commented

There was a module that does this, I think its called Autologin, but its insecure and not should not be used on a normal live production site. Not sure if a release node was every made.

Pimp your Drupal 8 Toolbar - make it badass.
Adaptivetheme - theming system for people who don't code.
lilott8’s picture

lilott8 commented

follow