I will have username and password of gmail I want to develop an application in which i have an login in my site.When i do login in my site . I must get automatically login into gmail.There must be a link when the user clicks on the link he must be automatically get login into the site. I will demonstrate it with am example
Username:XXXXX Password:XXXXX
Click here to go to gmail
It will be something like above on my Website. When user enters the Username and password And gets login and if he clicks on the link.He must be able to see his gmail account.I mean to say he must be login to gmail.
This is a terrible idea, in order for your system to even attempt to log on to gmail - you would have to have access to your users' password in plain text format at some point.
That means, the password would either be stored as it is or you'd have to use an encryption function rather than hashing one to save the password within your db. At some point, you'd have to decrypt and send plaintext password for gmail logon.
So why not reverse the logic? Why not have the user logged on to your site if they are logged on to gmail? Mechanism for doing such a thing exists for years, it's called OpenID and even SO uses it. I suggest reading up on that rather than potentially screwing up someone's data with poorly designed system.
Related
I have a Web Application that permits user to register though a normal HTML Form, or via Facebook or Google.
The question is what password should I store in the database, because even if the OAuth provider gives me relevant information like email, name, age, etc... It Obviously does not give you a password.
What would be the correct password to store in Database?
I have a few ideas:
Generate a Random one and send it through email (Not very secure)
Add an empty string. (They will never be able to login using a password because on acceptin login request I validate that password should contain more than 5 characters, this sounds like a very hacky way to do it)
Make it compulsory to fill in a password after registering through OAuth provider.
Any Thoughts?
It depends entirely on your application. Is authentication going to run specifically through a 3rd party - i.e. googleAuth?
If it is, there is no need to store a password. If you would also like to handle authentication in your application then give a user an option to sign up with google/facebook or with your application.
I see 3rd party authentication as a better user experience because they don't have to register on another site. With that in mind, if they sign up on your site then require a password, if they choose a 3rd party authentication, don't store a password.
So I think I reached a security issue and I'm not sure how to handle it.
I'm enabling my users to change their registered email and password on my website. For these two actions, they should type in their current password (and also confirm the email with a token). It's all good, but when the user has done social login, he would not have a password to type.
My first idea was to just skip the typing password field when the user has no registered pass, but thinking again, it might be a security issue (he leaves it logged in somewhere and someone else could easily hijack the account)
So, what would be a good way of dealing with this issue?
If you want to protect against email address changes when the user doesn't have a password to type, you could send the user an email that they have to click in order to authorise their email address change.
This would only work if they haven't left their email account logged into too.
The flow would be:
Navigate to change email page.
Click button to authorise email address change - this sends an email to the user's existing email account, containing a 64 bit token, randomly generated by a cryptographically secure pseudo random number generator.
The user opens their email account and click the link.
If the token is valid, the page followed from the link allows their email address to be altered.
If the token is not used within say 6 hours, the token is expired.
Store the tokens hashed by SHA-256 in your database, to prevent any data leaks from allowing an attacker to change the email addresses of other users by constructing email reset links using the raw values.
We use google, paypal and facebook logins as authorization at our online shops. We handled it, that the user can only change their email address (=account username) when they registered directly at our shop software (with email verification) and only after the correct password has been entered.
When the user has registered by an open auth service (like facebook) he can only alter his email adress (=account username), if he transforms his open auth account to a real account. To do so he must first login by open auth, than he has to enter a valid email adress and a security token send to the old email address (provided by the open auth service) to verifiy he is the legit owner of the address. After that he has to choose a regular password to login.
Hold a flag somewhere (for example, a database column) to determine whether the user registered via a "social login". If it is set, the user can change its password. If it isn't, he doesn't come in with a password in the first place.
I am developing an admin panel for the company I'm working at, and was wondering about something. I want to increase the experience for the employee. I want them to be able to connect to their email by entering the login credentials, and then read the emails inside the admin panel. What I need help with is this:
If I establish an imap_open connection, I need the password in plain text (as far as I know). I can't safely save the password in the database knowing that it would be a catastrophe if a hacker got their hands on the data.
Basically, I want to:
Create an imap_open connection with an ENCRYPTED password. Preferably as bcrypt.
Do any of you know how to do this? I've searched on google, and even seen some other questions on stackoverflow, but I can't seem to find an answer to the question. I would NEVER save the password as plain text. And just using a COOKIE or SESSION seems cumbersome.. for the admin to login to their email all the time, when all I want is for the email to load for the appropriate admin account when logged in.
If I'm understanding correctly, you want to:
store the user's password securely on their machine
use it to connect to the mail server
download email
Storing the user's password in plaintext is clearly a no-no. There are different ways you can handle this. The application could actually request the password from the user, which is an easy but not very convenient solution.
Usually passwords are stored using one-way hashing schemes such as SHA256 or bcrypt, but that means that you can only check whether a password matches them; you can't retrieve the password and send it elsewhere. So you have to turn to symmetric key encryption. You store the encrypted password somewhere (in a database), and when you need it you retrieve it, decrypt it, and send it over your IMAP connection. The problem with encryption is that it relies on a key, which may be compromised at some point, but hashing is not an option if you need to retrieve it.
The other thing to note is the risk in sending the password in cleartext. This is very much taken care of if your server uses SSL.
Yes, of course AUTHENTICATE PLAIN encodes a password. But servers which support admin access allow you to encode the admin's password along with the user's name so you can access the user's account.
$login_str = sprintf("%s\x00%s\x00%s", $user_name,$admin_name,$admin_pwd);
$login_str = encode_base64("$login_str", "");
When you use the encoded string in an AUTHENTICATE PLAIN login you are given access to the user's account. And you don't need the user's password.
If you do this with AUTH PLAIN...
sprintf("%s\x00%s\x00%s", $user_name,$user_name,$user_pwd);
Then you get access to the user's account. But supplying admin credentials seems to do what the OP wants to do without storing passwords.
If your IMAP server supports admin login via AUTHENTICATE PLAIN then you don't need the user's password to access his mailbox.
Many IMAP servers support this, for example Dovecot, CommuniGate, Zimbra, to name three off the top of my head.
I'm having the issue with some facebook accounts. User granted email permission so I get from facebook back user info containing email. Checked with user he does have an email saved but instead of getting the actual email my app gets some weird app+e7mq0tl2e9.1atcj2t.9af3a401e9285e669c0480d3c4aa5fbe#proxymail.facebook.com
any thoughts why am I getting this instead of the actual user's email ?
Thank you in advance!
why am I asking this because based on the user's email I save his username (everything before '#') - but when I don't get the real user email I should probably force user to enter his email and username. In general Is there any useful articles or documentation regarding facebook and my website application interaction. For me the problem is once user sings up via facebook to correctly save the unique identifier for the user so next time user decides to Log in he can type in username and password (or still use facebook login which I assume will be the same as facebook sign up). But with sign up via facebook user does not specify his password so I need to generate/ask user to enter it...
Facebook users can opt to use an anonymized e-mail address provided by Facebook when authenticating with scope=email. E-mails to that address will be passed to their actual e-mail.
This has the benefit of being disabled when the user removes your app (very handy for potentially spammy apps like Zynga games). You can't disable this, and you should treat them as legitimate e-mails.
The whole point to using facebook signing is so the user doesn't have to enter their username and password (as they have already done it with facebook.)
In your case, the next time they want to login, they'll click the "facebook" button, and you'll authenticate them with facebook. If they are already logged into facebook, they won't need to enter a password. So don't ask them for a password, or for a username for that matter.
If you want them to have a username and password on your site, then don't bother with doing a facebook login.
For identification purposes use one of the facebook id's that facebook will give you.
I am planning the development of a website that rely heavily on facebook integration, for this reason I will primarily push the user to use the "facebook login" option. For some reason, I don't want to leave out users that doesn't like to login with Facebook, so I will implement a classic user registration with email and password.
Now my questions are:
what is the correct way to manage both logins? Should I store fb user data on a record, saving at first login (as a registration) their fb_userid as a reference to use their data on my app? Can I get and store (with user agreement of course) their facebook email on the first visit?
What happens if users that have registered with email only, one day want to login with facebook? Will this create a new user record or should I merge the two logins in a unique user record?
Do I need to set cookies and session for fb users or not?
I see a lot of websites now that are using this double login but I never figured out how they manage it. In the first time I was thinking to use facebook login only, but a lot of people suggested that is a bad idea. What do you think?
Thanks for your help!
i have the same thing. what i do:
my users table has: id, facebook_uid, email, password
if someone fconnects - i create a new user for him, unique AI id, set the facebook user id, the email, and generate a random password. i'm sending him the password by mail.
if someone registers - facebook uid is 0
someone tries to registered and email already exists with a facebook id - he has the password in the mail or can use forgot password etc.
someone tries to fconnect and email already exists - i use the already existing account:
my approach is, i can verify the email by sending him a confirmation link. fconnect is confirmation for me. in this case, i want to give him the account (since he owns the email). i can ask him to enter the password and regenerate one and send him.
of course, you can handle each of these cases differently - basic approach - verified email = you own an account. fconnect = verified email
EDIT: to note
once a user has fconnected - i set the login parameters in the session/cookie. i don't want to make a request to the facebook servers on every page view