In order to bypass a website's login screen, can you load a link with a username and password?_问答_开发者

In order to bypass a website's login screen, can you load a link with a username and password?

开发者 https://www.devze.com 2022-12-27 08:38 出处：网络

I am relatively new to web development, and I was hoping I could get some pointers about the feasibility of a feature I would like to implement. Is it possible to have a url link that you can click on, that can contain login credentials开发者_开发百科 for the website it is linking to, so as to bypass that websites login screen?

In other words, can I make a link from my website to facebook, that would allow me to login right in to my facebook, from any computer? Meaning, if I don't have cookies to store my login info in, is it possible to login still?

This is just a conceptual question, so any help would be appreciated! Thanks!

One reason why this is generally avoided, is because web servers often store the query string parameters in the access logs. And normally, you wouldn't want files on your server with a long list of usernames and passwords in clear text.

In addition, a query string containing a username and password could be used with a dictionary attack to guess valid login credentials.

Apart from those issues, as long as the request is made via HTTPS, it would have been safe during the transit.

It is possible to pass parameters in the URL through a GET request on the server, but one has to understand that the request would likely be made in clear text and thus isn't likely to be secure. There was a time where I did have to program a "silent" log-in using tokens, so it can be done in enterprise applications.

You used to be able to do this, but most browsers don't allow it anymore. You would never be able to do this using facebook only something that uses browser auth (the browser pops up a username/pass dialog)

it was like this: http://username:pass@myprotectedresource.com

What you might be able to do is whip up some javascript in a link that posts your username and password to the login page of facebook. Not sure if it will work because you might need to scrape the cookie/hidden fields from the login page itself.

It is possible for the site to block you on account of no cookies, or invalid nonce or wrong HTTP referrer, but it may work if their security is low.

While it is possible, it is up to the site (in this case Facebook) to accept these values in the query string. There are some security issues to consider certainly, and isn't done generally.

Though, there are different options out there for single sign on. This web site uses OpenID for that.