You are here: Home Plone products Products.OneTimeTokenPAS

Products.OneTimeTokenPAS (0.2)

by Olha Pelishok last modified 2009-11-09
Released on 2009-11-05 by Goldmund, Wyldebeast & Wunderliebe, Kim Chee Leong for Plone 3.0 under GPL - GNU General Public License available for All platforms.
Software development stage: stable
PAS Plugin, login using a token that can be only used once.

The One Time Token PAS allows users to login using a special token. The token is generated and can only be used one. This allows members to login without supplying their username and password. You can send an e-mail with the special login url, so the member can access the portal easily.


  1. Generate a token:

    getToolByName(self, 'onetimetoken_storage')

    token = tokenTool.setToken(userId) logincode = '?logincode=%s' % tokenTool.setToken(userId)

    'http://myplone/supersecret%s' % logincode

  2. Send url with logincode to user

The user can use the token only once and it's valid for three weeks. The expiration time can be set in the tool.


Why not let users login themselves instead of using this plug-in? In specific cases it's usefull to auto-login the user. For example; a member participates in a program to save energy and keep track of his energy usage. Every month he receives an email to auto-login and updates his usage. Another example; a portal is used for informing members of newly published newsletters, these letters aren't public. The member get's a link with auto-login to the newsletter so he can read it.

It's all about making it easier for the user and there's no obstacle to login. In above cases the members are normal users with no elevated rights. Ofcourse there could be cases where a one time token is not usefull and/or safe.

The logincode that is included in the url contains the loginname and the token in base64. Every token is a uniquely generated md5 hash of random data and can only be used once. If there's is a succesfull match between the given username, token and the stored token with username you're authenticated.

Clearing old tokens

Old tokens can be cleared bij calling clearExpired on the token storage. Using crontick and cron4plone this job can be automated.

Add this call in cron4plone: portal/onetimetoken_storage/clearExpired

Document Actions
Powered by Plone