TalkPHP

TalkPHP (http://www.talkphp.com/forums.php)
-   Absolute Beginners (http://www.talkphp.com/absolute-beginners/)
-   -   Desktop icon to pass login? (http://www.talkphp.com/absolute-beginners/2315-desktop-icon-pass-login.html)

oMIKEo 02-22-2008 10:44 AM
Desktop icon to pass login?
 
Hi,

Is it possible so what when a user logs into their account they have the option to download a desktop icon which is unique to their account and will allow them the double click that icon and pass through the login process of the website and open them directly into their account?

If that is possible, how would i go about doing that?

Thanks for any help,
Michael.

TlcAndres 02-22-2008 10:52 AM
For windows you'd probably have to create a shortcut to your site that contains a hash ID unique to the user.

oMIKEo 02-22-2008 11:23 AM
logmein.com have it so you can drag the icon from their page to your computer and it has the icon image and links to your account. I could add a more complex unique ID to each account and use that but its the process of the user clicking a button and an icon appearing on their desktop linking to a set address that im not sure how to do...

Thanks

SOCK 02-22-2008 02:26 PM
I agree with TlcAndres; at the very least you'd have to hash the password value tacked onto the GET string. I'd recommend against doing this altogether, for me it doesn't do much in adding value to the user, and takes security down a notch or two.

Why not simply log them in once, and give them a 'remember me' cookie that holds a token logging them in at a later date? Most PHP applications (this forum being one of them) does this.

oMIKEo 02-22-2008 05:51 PM
Sorry to ask a stupid question but can you explain "hash the password"?

SOCK 02-22-2008 07:52 PM
It is the norm to store the value of the hash of the password rather than a cleartext password. You don't want to just store '123pass' or something in your database as-is. So it is common to 'hash' the password value using MD5, SHA1, or any number of other common hash methods, and instead store the hash value. When you check the database against the user's password, you check it against the hash value, not the actual input value. That value would be consider safer to send along in a GET string than a plaintext password. Not perfect, but safer.

Try this:
PHP Code:
$password'123pass';

echo "The MD5 hash value of '{$password}' is: " .md5($password) .'<br />';
echo "The SHA1 hash value of '{$password}' is: " .sha1($password) .'<br />'
Play around with that a bit, substitute '123pass' with any number of real passwords you might use, experiment with different hash functions. Make sure you check the string length of each hash output as well. For example, MD5 is always a 32 char base 16 (hex) value. SHA1, similarly, is always a 40 char base 16 (hex) value. Other hashes produce longer (or shorter, but you don't want to bother with them) values. It is usually a safe bet that the longer the hash value, the better it is. When designing your database, define the column length to be a CHAR(32) or CHAR(40), etc. to fit that size hash value.

You can also use a 'salt' combined with a hash to make it even more secure. Every password you store in the database, for example, might be 'salted' prior to storage and checking.
PHP Code:
$password'123pass';
// the salt - uniform for all passwords stored
$salt'YeScurvyDogs';
// return the value
$hashedPasswordmd5$salt $password); 
See what we're doing there? We're using the salt concatenated to the password value to make it even more secure. So the hashed value doesn't match the plain hash of md5($password). It may be complex at first, but play around with it and see how it works. I typically store the salt in a database field that is retrieved prior to every hash, so it actually stays in the database and not in the script.

Kalle 02-22-2008 08:45 PM
You'll need to create a Windows application or a shortcut with some sort of validation hash. My best suggestion would be to make a Windows application for that.

TlcAndres 02-22-2008 09:55 PM
To extend on what I said a .url file with the following would suit your purposes

Quote:
[InternetShortcut]
URL=http://site.com/?hash=somethingextremelylongherethatisn'tlikelytob eguessed
have a the hash checked against the database and thats it, I would recommend hashing the some bit of data that isn't known to the user or any other person for that matter. For instance if you happen to store the last known login time for non-user related purposes (Like logs) then hash that and store it within the .url, even then a hacker who got into your database would not even need to go through the rainbow table process to crack the user's account, they'd simply copy the hash value into their own .url file and click to login and theirs not verification you can add to check others because asking for their real name, then it's right there the database records. Asking for a question to answer to verify would defeat the purpose of the .url file.

So in essence, what I am trying to say is - Don't do it.


All times are GMT. The time now is 02:09 AM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0