It sounds like you need a bog-standard username/password
authentication system just like every other site.
No need to include someone's email address in the link - that will
result in weirdness when people email their unique link to a colleague
(I guarantee this will happen).
Link directly to the resource URL - test if they are logged in, and if
they have access to view and/or edit the content. Show them the form, or
an appropriate message if they aren't allowed to see it.
Offer a remember password option, and a forgot password feature, and a
register page if this is appropriate. Keep in mind if you allow
free-for-all registrations then this doesn't actually add any additional
security, just inconvenience. So you may want to consider admin approval
for new registrations.
There will be scripts out there that handle most of this for you, though
I can't personally recommend one.
Harvey.
On 29/09/2010 12:00 p.m., Brendan Brink wrote:
thanks for that Berend,
have come up with a solution:
the link has email address appended and a hashed email address appended
ie: form.php?h=heu9oghsodiug&[email protected]&eh=huieghsuilehgeslhgs
so when going to the form:
1. know what form they want to view
2. what email address (user) they are
3. and they permitted to view the form (compares email to the email
hash in link)
If person is logged in, shows them form otherwise:
prompts for password to accompany their unique email address
if not a user yet, allows them to create a password which then emails
them a link to activate their account.
once they have activated the account, they can then click on the
original form again and login and view the form.
------
this should make the login process simple, secure and the registration
system very simple
any comments on the above security? or enhancements they would make?
On Wed, Sep 29, 2010 at 11:51 AM, Berend de Boer<[email protected]> wrote:
"Brendan" == Brendan Brink<[email protected]> writes:
Brendan> The client wants to know is there a way to make it more
Brendan> secure without forcing a username / password security
Brendan> feature on the system ...as the ability to click on a
Brendan> link in an email to go through to the form works
Brendan> efficiently...
So the client wants to follow a link without having to prove their
identity...
Sorry, ain't going to work.
You can constrain access by ip address (or reverse ip address), that's
the only option. And you would have to add new ip addresses for people
who are also allowed to view this.
But I don't understand why clients can't use the remember password feature...
--
All the best,
Berend de Boer
--
NZ PHP Users Group: http://groups.google.com/group/nzphpug
To post, send email to [email protected]
To unsubscribe, send email to
[email protected]
--
Harvey Kane
Phone:
- Auckland: +64 9 950 4133
- Wanaka: +64 3 746 8133
- Mobile: +64 21 811 951
Email: [email protected]
If you need to contact me urgently, please read my email policy
www.ragepank.com/email/
--
NZ PHP Users Group: http://groups.google.com/group/nzphpug
To post, send email to [email protected]
To unsubscribe, send email to
[email protected]
