Home/ Questions/Q 8815761
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T04:27:26+00:00

Currently we have a typical web application, which all the clients access and login

  • 0

Currently we have a typical web application, which all the clients access and login using their credentials.

One of the client does not want to login using their credentials, instead they will be passing username, fname, lname in the URL and they should be automatically be logged in if they have an acct or else we need create user account on the fly and log them in.

The web app should act the same way for the rest of the clients. How can this be achieved. Do we need to use any single sign on methodology (SAML, etc)?

Overview of requirement:

Request URL -> Determine if Client is A -> if yes then check the values passed in the url exists in the db -> if yes then log them in automatically -> if no create a record with the passed values and then log them in

—> if client is not A then take them to Login screen

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you are planning to base your decision only on some URL values to allow automatic login, you are creating a very biiig security loophole here.

    Instead you should have some configurable mechanism, where system admin maps some IP addresses to specific user. This way when user requests for a page, you check if the IP from which request has come in, belongs to some specific client. If yes, then log him/her in else send them to login screen. This is also a bit of security hole, but a smaller one, because people will not gain access until they know which IPs are mapped to users and until they use some ip spoofing software.

    Probably you can put a dual check of URL keys and IP mapping, that will make it tighter.

    Best option is to use single sign on technologies like live id authentication. but it will require more efforts, and still requires users to login with live-id for the first time.

    edit–>

    If you are using your custom authentication mechanism, then you have 2 options
    1. Change your login page to detect the request IP and have automatic login for selected users
    2. Write a http handler which will check where the request is coming from and auto login the selected user accordingly.

    I hope you understand what all things are involved in “Auto Login” which i am talking about. e.g setting the session variables/username, displaying the username on page etc.

    • 0