Find the answer to your Linux question:
Results 1 to 5 of 5
I run a totally private website. Any visitor immediately gets login/password prompt, which is implemented at the webserver level (nginx). There's no option to register - I distribute login/password to ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2011
    Posts
    4

    Access to private web site without login/password - How to implement?


    I run a totally private website. Any visitor immediately gets login/password prompt, which is implemented at the webserver level (nginx). There's no option to register - I distribute login/password to legitimate users in advance.

    This approach inconveniences the users because they have to type in username/password. I wonder if there's a way to provide every user with their unique URL, by clicking on which they would get access to the site immediately. I still want to disallow general public access. I also want to keep track which user is visiting my site.

    Or perhaps, there exists a better solution?

    I couldn't find any info on this on the web at all. If you can refer to any resources, thanks in advance!

    PS. If this post belongs elsewhere, I'd appreciate your recommendation.

  2. #2
    Just Joined!
    Join Date
    Nov 2011
    Posts
    4
    One approach is to put the username and password into the URL:
    username:password@mysite.com
    Last edited by latgarf; 01-21-2013 at 02:42 PM.

  3. #3
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,444
    This is not a solution, it is a security nightmare.

    The username/password would then be visible in logfiles and browser histories.
    Just think of the consequences, if one of your users logs in on a different, maybe public PC.

    Username/password for now is still wideley used and accepted.
    Moreso: blizzard, google, etc offer to add even more security in form of time-based one time paswords via google authenticator and battle.net mobile apps.


    So my suggestion is to keep your previous authentication schema.
    You must always face the curtain with a bow.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Nov 2011
    Posts
    4
    Excellent point, Irithori. But given that I only want to provide URL to user once (and not bother him anymore), how would I in practice supply those time-based one time passwords to users?

  6. #5
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,444
    You cant.
    By definition time based OTPs have a very short Time-To-Live.
    A typical ttl is 30s.
    After that a new value is generated and valid for the next 30s.
    TOTPs are a way to increase security, not useability.

    If you want to increase useability, then one advice can be to store the (regular, non-TOTP) passwords in the browsers' password safe.
    Firefox, opera, etc do have such a feature.
    Obviously this is only an option for controlled, secured devices.
    Such as your private or corporate PC/laptop/tablet/smartphone.
    Dont safe passwords on public PCs or your friends machines.
    Last edited by Irithori; 01-21-2013 at 03:21 PM. Reason: clarifications
    You must always face the curtain with a bow.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •