0

I have a page in my ASP.NET MVC project that users should be able to access just by pressing a link (without signing in). I think I should generate some kind of access token based on the username/userId, but I'm not really sure how. Full authentication (via sign in) should be necessary for all other pages.

Clicking a link like this http://example.com/specialpage?accesstoken={accesstoken} should take them to a page without having to sign in.

The controller should decrypt the token, get the username and render the view differently based on the user.

I know that it is not 100% secure, but it should at least not be possible to guess the token just by knowing the username.

What would be the best approach to do something like this? I'm using ASP.NET MVC 5 and Identity 2.

Dan Beaulieu
  • 19,406
  • 19
  • 101
  • 135
Joel
  • 8,502
  • 11
  • 66
  • 115
  • Well, get the accesstoken from URL in the action "specialpage", decrypt it and check the values (password and username ) - if they are valid then simply log them in :) – Eru May 12 '15 at 12:07
  • @Eru Yeah but that's the thing. The token should not contain username/password. It should be something generated server side and only include username. What I'm really wondering what the best way to generate that token is... – Joel May 12 '15 at 12:09
  • Hmmm, the problem itself is very simple: use GUID and store in DB. The problem which is under that is "how will you send the GUID to certain user?" by email? - here could be the security problem that someone can still the token of certain user. – Eru May 12 '15 at 12:22

1 Answers1

2

The token could be anything, it doesn't necessarily need to contain any sensitive information such as the username.

A token works by how the server remembers it, so in this case your token could simply be a GUID which is then mapped at the server-side to a known account. The benefits of this approach are:

  • No sensitive information distributed to the client
  • You can control expiration length / revoke rogue tokens from the server
  • Almost impossible for you to generate a duplicate token
Community
  • 1
  • 1
James
  • 80,725
  • 18
  • 167
  • 237