Automatic login for Web based GUI

There are many ways for this to be done.

One would be, as you suggested, to have the login process store a local cookie in the browser, which is queried for in every request to check if a user is authenticated and/or authorized for the current request. However, cookies are becoming an increasingly outdated technology and may not be the safest solution, depending on how the user's browser handles cookies.

Another solution could be to incorporate a special query parameter in the link behind the login button, containing a unique SHA256 hash string. This hash is simultaneously stored somewhere in the application, along with minimal information specifying the user authorized for the request.

That way a user can click the deeplink in the email, without any form of authentication on the user's end. And guesstimating a SHA256 hash is significantly harder than intercepting a basic auth header and decoding the Base64 string, especially when a predetermined salt is used for the hashing algorithm.

All in all, definitely a great solution to make things easier on the end-user.

Hi guys,

I like the idea.

I think we should let it up to the user to tell the browser to remember their credentials. That's the safest way to store the credentials in the client. When the user allowed it and a deeplink is incoming, we can try to continue seamless to the main page without user interaction.

Notice the Web GUI doesn't allow you to work with multiple GUI's in the same browser. Others will be logged off.

I think our Universal GUI will support this seamless, when deeplinking is supported.

Regards, Erik

Notice the Web GUI doesn't allow you to work with multiple GUI's in the same browser. Others will be logged off.

If the user's main instance is logged off when another is opened in the same browser, it seems very tedious to run these tasks from an e-mail with automatic authentication in general.

The user could be doing other work while waiting on the e-mail. If he then clicks the deeplink, all his work is lost as the instance will be automatically logged off. Unless I misunderstand the inner workings of the web GUI as you described, this renders automatic authentication in deeplinks as more of a hazard than an addition to a smooth workflow.

I think we should let it up to the user to tell the browser to remember their credentials. That's the safest way to store the credentials in the client.

This depends on how the client remembers passwords. A lot of people are using third-party tools such as Dashlane or 1Password instead of their browser's built-in credentials vault. Most of those tools do not allow links to directly read credentials (or without prompting the user at least, again rendering this solution slightly redundant).

You're true. As a workaround, you could think of a separate Web GUI instance to handle deeplink request from the version the user works in, in general.

As I mentioned, this problem will be resolved in time using the Universal GUI.

Lets keep up the technical implementation of remembering the credentials to our developers ;) Thanks for thinking about it.