TLDR: Is it possible to email a login button which will open a web page and enter the appropriate user information into the username/password fields? Is it possible to embed this within an HTML button, or possibly in SQL injection? If so, where should I start my research to make this happen?
OK, so what I am tasked with is generating the billing lists for about 2000 non-technical users. Currently we use a third party billing site which does not have an API or any way to authenticate users from the URL heading. What we have been doing is using mail-merge to email users their username and password along with a link to the billing site. This is great, except that our users are... special. We get dozens of phone calls a day from elderly users who can't copy/paste the given information into the website.
What I am looking for is someone to point me in the right direction for making an email click here button that will open the web page, enter the username and password (from a CSV/XML of usernames/passwords) and click enter.
I'd even settle for opening the webpage with their credentials filled into the appropriate fields. Is there a way to do this? What is the best way to go about this?
Before we get into best practices/security, CC information isn't stored on the site, and the only user info view-able is the invoice, so security isn't a huge concern here since the users can't set their own passwords (username / password generated from static fields in another database silo).
Not looking for someone to do this project for me, but perhaps a few friendly pointers in the right direction for how to do this.
Is it possible to email a login button which will open a web page and enter the appropriate user information into the username/password fields?
Not unless either:
The website is specifically designed to allow that. Since you said it was a third party side, then you would have to ask the people who wrote it.
The site suffered from an XSS security vulerability. (Explaining how to search for one would be too broad for a SO answer, searching for one would be illegal pretty much everywhere).
Related
I am looking to make a website whereby a user will be able to login and register. Once registered and logged in I would like for them to see a list of their own customers and carry out some functionally configured to the user (e.g send an SMS from their registered phone number).
I have seen plenty of tutorials on how to implement both login and register functionality. But I have no idea how to make the information shown be specific to each customer?
Can someone assist by pointing me in the right direction for something like this? Or even a template that may already have it done?
So fair I have been able to create a very basic site (localhost) that has a user login and registration form.
Sending SMS from website is done with paid services, you can search some of them.
User specific website is done for example by using PHP. For example you have form for registration and then save the data into a database. Next time the user comes, you offer him login form, if he logs in succesfuly, you now know who the user is and offer some content according to the user. For example (simplified) you will have a folder named "Peter" and in this folder you will have informations about Peters customers. And if Peter logs in, you offer him data from this folder.
Is there any reason a site login needs a username/password? If an email address or cell number is supplied a text or email could be sent back at which point you would click on the link. Would this be enough to be considered authenticated by the site. Much like a password reset email/text, except you would be logedin instead.
Maybe this is not the correct forum to post this.
But, usually an username gives more sense of "ownership" / sense of belonging to an account.
Also for security reasons! I'd rather not give my personal email to everyone or in some places.
And if they already ask my email, I would imply my username is the information other users have access to, and not necessarily my email.
e.g. a Forum / Payments / etc...
I am writing a simple mailing application, however I am not yet aware of the full capabilities of HTML editing within the mailing world.
I would like to give the website administrator the choice to accept or to refuse a reservation by sending him an overview of the reservation. Below in the mail I had 2 buttons in mind, accept & refuse.
I tried using a form within the HTML e-mail but almost every mailing client blocks this out.
Is there another method to do a http post command to let's say myserver.com/accept or myserver.com/refuse from within an e-mail without having to open an additional webpage?
If not, what is the best way to achieve such things?
This is a pretty relevant article: https://www.sitepoint.com/forms-in-email/
Basically he concludes that support is not reliable so you should not use forms in emails which I agree with.
Since you say you want to give this choice to a website administrator I think you probably want some sort of authentication. So I could see it working something like this...
Send the admin an email containing two links mysite.com/reservations/:reservation_id/accept and mysite.com/reservations/:reservation_id/refuse.
Admin clicks on one of the links
Link opens in the browser and your site(controller -> ReservationService) accepts or refuses based on the id and action in the url
You will have a few things to consider, such as authentication(I assume you already have this since you have the notion of website admin?), authorization(can this admin accept or deny the reservation?), does the reservation exist, has the admin already accepted or denied the reservation, etc.
There's an interesting problem I'm facing as an educator. I want to collect user names in a form, but when I do that, it automatically enables students to email themselves a copy of their response.
I believe there's a way to somehow poll who's responded. When you enable the "one response per user" option, it doesn't require a stored user name. I know the information is out there somewhere - I just don't know how to get to it.
Any help would be greatly appreciated!
EDIT: I neglected to be specific about the coding aspect - apologies. I'm generating the form programmatically, and wanted to know if the information is stored somewhere in the response when the one-response-per-person option is enabled. After more digging, it appears that the easiest way to deal with this is to use an extension to handle disabling the email option.
Thanks for all your help!
you cant get the user email unless you enable that option like you mentioned. yes google might internally know who you are if you were already logged-in but its not perfect because using chrome incognito mode for example would not detect the email.
one way I can think is to:
1) with apps script generate an array of all student emails and a random password. dump to a private spreadsheet and use as your database for the next script.
2) in your forms, ask first as a form question the custom username and password.
3) on another script you can generate form urls with prefilled usernames and passwords and email each student their own custom form url.
when the student opens the form to respond, the username and password would be prefilled already.
not perfect but a malicious user would need to hack the email and if they can hack their email then they could also impersonate the user logged-in.
I have three websites: a.example.com, b.example.com, and c.net. Each was built a couple years after the other and all have their own users table.
I want to integrate these sites together so that I can login with a single username/password combo and have access to all three sites just by clicking links without having to login again.
I've never done an integration like this before, so looking at two angles:
1) Create another website, 'd.net' where new accounts can be created. If you login to one of the original three sites, it asks you for your d.net account. If you dont have one it asks you to make one. In your 'account settings' on d.net, you can 'add sites' to your account by entering your old username and password for them. Sound reasonable?
2) Solving the technical problem of being able to one-click login to another of the three sites if i'm already logged into d.net. Afaik, cookies with a session ID can't be shared across domains. So... maybe generate a token and save it to the database. Send token over GET to another website, which can check the token, log the user in, and then delete the token. Sound about right?
Have you looked at OpenID?
http://en.wikipedia.org/wiki/OpenID
Don't have to re-invent the wheel.