[WEB SECURITY] Password-less login ?

Michal Zalewski lcamtuf at coredump.cx
Mon Jan 28 12:55:04 EST 2013

> https://someserver.com/login/a4337bc45a8fc544c03f52dc550cd6e1e87021bc896588bd79e901e2

In general, there are four things to be aware of:

1) Credentials encoded in the URL are very easy to accidentally leak
in any outgoing Referer headers, in screenshots, etc. This can be
mitigated, but it's also easy to mess things up.

2) Credentials encoded in the URL will by default end up in the logs
of the HTTP server - although again, this can be fixed. They may also
get recorded by various proxies, AV tools, browser toolbars, etc -
which is a bit harder to contain.

3) The user will be dependent on having access to bookmarks or some
other way to retrieve that URL to be able to log in from a particular
computer, since it's impossible to remember; and if his bookmarks are
deleted or corrupted, you will need to deal with account recovery. If
you are willing to put up with this, you may also want to consider
client SSL certificates or so as an alternative form of

4) Since all the information needed to access the account is stored on
the computer, any system compromise can be used to recover the access
token immediately, rather than waiting for the user to interact with
the targeted site. This may or may not matter.


More information about the websecurity mailing list