Hi Les, Thank you VERY MUCH for such a great, fast and clear explanation. I'm developing just a simple application and never thought of the consecuences of fake "email clicks". What I will do, thanks to your exaplantions, is login the user once he registers, but I will not activate it. Therefor, if he clicks the activation email later on, all I do is activating the account, and if the user is logged (same session), he'll be still logged.
Thank you again! On Fri, Feb 5, 2010 at 8:25 PM, Les Hazlewood-2 [via Shiro User] < [email protected]<ml-node%[email protected]> > wrote: > Hi Miguel, > > Authentication is the act of proving an identity. If you don't > require proof of their identity, then the user won't, by definition, > be authenticated. What if that email was viewed and clicked by > someone other than the user who registered? This is very possible and > happens more than you might think, especially with spambot systems. > > Suggestion # 1: > > The way I've solved this myself is to actually perform a login on the > user's behalf when they click that link. How do I do that? When > they're registering on the site at first, they enter in an email > address and password. I'll store that password (encrypted of course) > in their session. When they click on the link, assuming that they do > so during the same session as when they signed up (which is the large > majority of cases), then I automatically call subject.login with the > values stored in the session. > > If they click the link after their session has expired, they're forced > to log-in to the site, performing a real authentication. This > paradigm is much more secure than automatically assuming a user is > authenticated without requiring their credentials. > > Suggestion # 2: > > If you don't like #1, you could easily create something like a > RegistrationKeyLoginToken - maybe a subclass of UsernamePasswordToken > that also retains a secret key that is obtained from the HTTP request > (usually a URL parameter). When the user access that URL, you > transparently call subject.login with that Token instance with the > secret key. > > When your Realm implementation receives the token in your > doGetAuthenticationInfo implementation, you can see if it is the > RegistrationKeyLoginToken and then check to see if the tokens match. > If so, just return the AuthenticationInfo as if they had logged in > with a password. If the token is not a RegistrationKeyLoginToken, > perform the lookup based on username/password as normal. > > I personally would never use # 2 as I don't trust unencrypted email as > a secure enough mechanism to auto-login my user. It's up to you > though depending on your needs :) > > HTH, > > Les > > On Fri, Feb 5, 2010 at 1:52 PM, mcohnen <[hidden > email]<http://n2.nabble.com/user/SendEmail.jtp?type=node&node=4521636&i=0>> > wrote: > > > > > Hi! > > > > I'm using the shiro plugin with grails and I'm wondering if it's possible > to > > perform a login (authentication) without knowing an user's password. I > want > > to do that, so that when the user clicks on his confirmation email, I can > > > automatically login him if the confirmation was successful. > > > > Any ideas about this? > > > > Thank you! > > -- > > View this message in context: > http://n2.nabble.com/Authenticating-without-knowing-user-s-password-Is-it-possible-tp4521499p4521499.html > > Sent from the Shiro User mailing list archive at Nabble.com. > > > > > ------------------------------ > View message @ > http://n2.nabble.com/Authenticating-without-knowing-user-s-password-Is-it-possible-tp4521499p4521636.html > To unsubscribe from Authenticating without knowing user's password. Is it > possible?, click here< (link removed) ==>. > > > -- Un saludo, Miguel Cohnen de la Cámara -- View this message in context: http://n2.nabble.com/Authenticating-without-knowing-user-s-password-Is-it-possible-tp4521499p4521686.html Sent from the Shiro User mailing list archive at Nabble.com.
