Find the answer to your Linux question:
Results 1 to 5 of 5
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Access to private web site without login/password - How to implement?

    I run a totally private website. Any visitor immediately gets login/password prompt, which is implemented at the webserver level (nginx). There's no option to register - I distribute login/password to legitimate users in advance.

    This approach inconveniences the users because they have to type in username/password. I wonder if there's a way to provide every user with their unique URL, by clicking on which they would get access to the site immediately. I still want to disallow general public access. I also want to keep track which user is visiting my site.

    Or perhaps, there exists a better solution?

    I couldn't find any info on this on the web at all. If you can refer to any resources, thanks in advance!

    PS. If this post belongs elsewhere, I'd appreciate your recommendation.

  2. #2
    One approach is to put the username and password into the URL:
    Last edited by latgarf; 01-21-2013 at 01:42 PM.

  3. #3
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    This is not a solution, it is a security nightmare.

    The username/password would then be visible in logfiles and browser histories.
    Just think of the consequences, if one of your users logs in on a different, maybe public PC.

    Username/password for now is still wideley used and accepted.
    Moreso: blizzard, google, etc offer to add even more security in form of time-based one time paswords via google authenticator and mobile apps.

    So my suggestion is to keep your previous authentication schema.
    You must always face the curtain with a bow.

  4. $spacer_open
  5. #4
    Excellent point, Irithori. But given that I only want to provide URL to user once (and not bother him anymore), how would I in practice supply those time-based one time passwords to users?

  6. #5
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    You cant.
    By definition time based OTPs have a very short Time-To-Live.
    A typical ttl is 30s.
    After that a new value is generated and valid for the next 30s.
    TOTPs are a way to increase security, not useability.

    If you want to increase useability, then one advice can be to store the (regular, non-TOTP) passwords in the browsers' password safe.
    Firefox, opera, etc do have such a feature.
    Obviously this is only an option for controlled, secured devices.
    Such as your private or corporate PC/laptop/tablet/smartphone.
    Dont safe passwords on public PCs or your friends machines.
    Last edited by Irithori; 01-21-2013 at 02:21 PM. Reason: clarifications
    You must always face the curtain with a bow.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts