|
|
Posted by Gordon Burditt on 03/10/06 03:16
>1. Make them log in using their email address as a username. Email them
>their passwords first.
>
>2. For people who have cookies enabled, store a cookie on their computer
>identifying them.
>
>3. Use the cookies for future logins. Perhaps change the cookie at the
>start of each session. Perhaps make this expire.
>
>Alternatively, or if cookies are off, I could require a code, used for one
>session only, to be used for a session. The user would enter their email
>address. If it matched a list then the code would be sent to the user via
>email and they could use it as a password.
>
>Any thoughts? I do not want to make a special mail shot just to give
>everyone passwords by mail. Too much effort and cost for too little
>reward.
A bank uses this approach for online banking (overkill for your
purposes, but there are some lessons here):
1. Users already have usernames and passwords assigned for using online
banking. They have also already chosen an image and a title for
that image (the "site key"), and answers to some security questions.
2. User goes to the web site, enters his username, and submits the form.
3. If the computer already has the bank cookie on it for this
account, go to step 6.
4. The user is asked one of the security questions. He's also asked
if this computer is at a secure location. (home or work computer:
maybe secure. internet cafe or library: not secure).
5. The user submits the form. If the info is not correct, go to 4 for
a limited number of tries.
6. A page displays the user's site key (an image and a title for it).
If the user does not see the site key, he has been warned NOT to
enter his password as this may be a spoof site.
7. User enters his password and submits the form.
8. If the password is correct and the computer is at a secure location
(according to the user), the server puts the bank cookie on the computer.
9. The page for online banking is returned.
You probably don't want to go through the whole "site key" thing,
although if there's a chance someone might spoof your site, it could
be worthwhile. Bank spoof sites have become a serious problem.
The point here is that the presence of a cookie can be used to bypass
part of the login sequence, but *LET THE USER SAY WHETHER THE COMPUTER
IS SECURE OR NOT* before putting something on it that lets people
log in as the user. Also it lets people who don't allow cookies
at all in, but they have to go to a little extra trouble.
Perhaps you could allow someone in with the cookie *OR* a password,
but let them ask for the cookie (or not).
Gordon L. Burditt
Navigation:
[Reply to this message]
|