1

I had a link http://uuuu.com/index.jsp?username=user&password=pass . If the user clicks on the link it should be automatically login to the website with reading the username and password from that url. So the user no need to fill the username field and password field to view the site. Is the url format is correct?if not what is the proper format to do it?

Aravindh RS
  • 63
  • 1
  • 1
  • 13
  • 2
    are you sure you want to pass the password in url? using get request ? – Prasad Kharkar Jan 29 '14 at 09:25
  • yes. i want to pass it via url – Aravindh RS Jan 29 '14 at 09:28
  • Don't miss this outstanding Community Wiki article: [The definitive guide to form based website authentication](http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication) – Andrea Ligios Jan 29 '14 at 10:58
  • possible duplicate of [How to automatically login to the website using hyperlink?](http://stackoverflow.com/questions/21427542/how-to-automatically-login-to-the-website-using-hyperlink) – Andrea Ligios Jan 29 '14 at 10:58

4 Answers4

6

I think the format you need is

http://username:password@yoursitename.com

I would still say that this approach is not recommended. You should not pass username and password through URL!

Rohan
  • 613
  • 5
  • 15
  • if there is any other way 2 do this? – Aravindh RS Jan 29 '14 at 09:58
  • I dont think so. You could use the URL but thats not good due to security issues. Using the login form is your best bet and is certainly more secure than URL. – Rohan Jan 29 '14 at 10:17
  • i have sent an link to my website through email.if the user click the link it should automatically logins to the site – Aravindh RS Jan 29 '14 at 10:22
  • If thats the case then why not try the solution i gave you? If you are asking me for an alternative solution then, As far as i know, there is no other secure way of achieving this. – Rohan Jan 29 '14 at 10:32
2

Nobody can comment on whether the URL format is correct or not without knowing the internals of the authentication implementation on the server. One thing is sure - it is a bad idea from security view because parameters appended to the URL are not secure.

RaviH
  • 3,396
  • 2
  • 13
  • 14
  • so what is the solution? – Aravindh RS Jan 29 '14 at 09:30
  • my requirement is I need to automatically login to the website with hyperlink.So what to do? – Aravindh RS Jan 29 '14 at 09:31
  • @AravindhRS what RaviH is saying is that we can not provide you with a solution unless you provide more details about the environment and implementation where this application is running. Once you have provided those details in your question we MAY be able to help you further. – DanielBarbarian Jan 29 '14 at 09:52
1

If you are using j_security try this 

http://uuuu.com/index.jsp/j_security_check?j_username=username&j_password=password
Jebus
  • 65
  • 2
  • 12
0

If you have the username and password then i would suggest to use html form tag. See here.

But note if you have applied Anti-forgery token to prevent CSRF attack then it may also not work.

Arjun
  • 766
  • 2
  • 10
  • 24