Feature #1198

Link to log form including the log password

Added by sdennler over 2 years ago.

Status:neu% Done:

0%

Priority name:2 mittel
Assignee:-
Target version:-
Ticket Referenz: Kategorien:

Description

Hello

It would be nice to be able to give a finder of a cache a URL which leads to the form to log a cache and the log password is already filled in the correct field. This would be specialty useful for caches which consist "only" of a QR code or NFC tag.
In addition it would be great to have a little introduction to GeoCaching on the linked page if the user is not logged in. That way people who found the link but are not familiar whit this hobby would not just see a login form.

I started implementing this features and have a working version for logged in users. But I have some concerns and would like to have it discussed bevor I continue.
My current solution can be found here:

https://github.com/sdennler/oc-server3/commit/8eb81b7f15852e8fc48936b79ce1eefb9297a1ae

Issue

The log password is sent in the URL. There of it is logged in the servers log files and shows up in the users browser history.

The best solution would be to use a POST request and send the password as POST argument (this works in a not so nice way already with the current productive code). But there is no defined way to start a POST request from a URL (in a QR code or NFC tag). A dedicated app would be necessary but that defeats the purpose of the whole thing.

An other way to implement it would be to use HTTP Basic Auth to transfer the password. A URL could look like this
https://u:passw0rd@opencaching.de/OC123/log
But after such a successful request the users browser will send the password for every further request. Unless we show the user the ugly Basic Auth form and he has to click cancel.
Also this dons't works well whit all browser.

When using the current GET request it would be possible to remove the passwords from the log files: https://serverfault.com/questions/220963/preventing-an-apache-2-server-from-logging-sensitive-data
But as the passwords are stored as plain text in the database I'm don't think that is relay necessary.

I would like to continue working on this feature after some feedback.

Thank you!

Also available in: Atom PDF