Login process is very important for every website that has content or functions that should not be availiable to unregistered users. As a general rule passwords should never be exposed in clear form in emails, instant messages or as a part of a web link.
But there are cases when this rule may be relaxed. First of all, depending on the security policy of your website, users that login may be assigned to different user groups with different priviledges. This is evidently not the same if a logged in user may view your company's confidential information or create/edit content of your web, or if the only thing he is authorized to do is to leave a comment on your site or to view his support ticket progress online. Another scenario: you have prepared a summary information page for your client and would like to email him a link to that page. With login assistant your client does not need to remember his username and password, even more - after login he will be redirected to the target page automatically!
The login assistant may be implemented as a separate component, as a special controller in your component's MVC structure or as a special task in an existing controller (last 2 options require some additional logic to generate compatible links).
The solution presented here is a standalone component and includes a backend utility that generates the links compatible with Login Assistant, thus being the easiest way for a site administrator to implement login assistance functionality.
Versions 1.2 and later decouple links encoding from joomla global "secret word". It uses new encryption classes of Joomla 3 platform and now a passphrase (private key) is a required setting in Login Assist component options. Links generated by the component will work on any Joomla installation providing that Login Assist is configured with the same private key. Previous component versions used joomla "secret word" for links encryption, so that the links stopped working if this "secret word" changed (e.g. Joomla was reinstalled)
Login Assistant also supports silent user login. If a link is configured providing user and password and "Automatic Login" is enabled in component configuration a user will be silently logged in and redirected to the target page right away after he follows the link. With "Automatic Login" disabled users are first redirected to "assisted" login view and the target page will open only after "Login" button is clicked.
When you fill in all required fields and press "Generate link" toolbar button the resulting link appears in the bottom line. Just press "Select link" button to select all text (it may be longer than it's visible part) and copy it to clipboard. Then you can paste it into an email message or as a link URL property in an article. To make sure that the link behaves as intended press the "Test link" button.
Obviously this form contains very sensitive data like username and password so the site security is an extremely important point here. The way Login Assistant component is designed your site's security is not affected too much.
The base64_encode that is used for the whole 'k' (key) var in the link's query serves as a wrapper only and has nothing to do with encryption. But both username and password are encrypted with core JSimpleCrypt before being encoded as base64. When a user logs in using the provided link, username and password part of the key are decrypted using the passphrase set in component options ("Encryption private key"). Please, keep in mind that if you change private key value in component options all links generated before the change will stop working.
On the other hand you always have an option to leave password field empty. Actually you are limited to this option if the user the link is prepared for has self-registered on your site - in this case you simply can not know his password. A link with empty password will still show a login form but the user will have to enter his password before logging in. The redirection after successful login will work normally.
And finally you can generate links without selecting a user ("generic" links). Such links with act as a simple redirect links but ensuring that the user is logged in before the target page opens. For example if you publish a plain link to an article with access level other than public or guest, a user who is not currently logged in will see "You are not authorized to view this resourse" error if he tries to follow the link. With a "generic" link generated by Login Assistant guest users are first redirected to login view (in this case it is not "assisted", i.e. form fields will be blank) where they can enter their login credentials and the target page will open after successfull login.
This feature gives much more flexibility in "redirect after login" setting. Unlike core Joomla login module where redirect after login URL is a module-wide setting, "generic" links generated by Login Assistant allow setting redirect URLs individually for each link.
When you create a demo user for your site the password for this demo account is usually published in clear form so that your visitors can use it for login. If you use Login Assistant's generated link for this purpose a visitor can still login but only using the link you provide him. Demo account password will not be disclosed.
All links generated by Login Assistant are automatically saved to a log file. This file is located in Joomla /logs folder and you can review links history if you browse to this folder using your favourite FTP client and open "com_loginassist.log.php" file.
Download Login Assist for Joomla 3: Free Download