Login process is very important for every website that has content or functions that should not be availiable to unregistered users. As a general rule passwords should never be exposed in clear form in emails, instant messages or as a part of a web link.
But there are cases when this rule may be relaxed. First of all, depending on the security policy of your website, users that login may be assigned to different user groups with different priviledges. This is evidently not the same if a logged in user may view your company's confidential information or create/edit content of your web, or if the only thing he is authorized to do is to leave a comment on your site or to view his support ticket progress online. Another scenario: you have prepared a summary information page for your client and would like to email him a link to that page. With login assistant your client does not need to remember his username and password, even more - after login he will be redirected to the target page automatically!
The login assistant may be implemented as a separate component, as a special controller in your component's MVC structure or as a special task in an existing controller (last 2 options require some additional logic to generate compatible links).
The solution presented here is a standalone component and includes a backend utility that generates the links compatible with Login Assistant, thus being the easiest way for a site administrator to implement login assistance functionality.
Version 1.1 allows links generation with no user selected. This mode does not provide login assistance and can be used as a custom redirect-after-login tool. The same link can be sent to a group of users and each of them will be redirected to the target URL after successful login.
Version 1.2 decouples links encoding from joomla global "secret word". It uses new encryption classes of Joomla 3 platform and now a passphrase (private key) can be configured in Login Assist component options. Now the links generated by the component will work on any Joomla installation providing that Login Assist is configured with the same private key. Previous component versions used joomla "secret word" for links encryption, so that the links stopped working if this "secret word" changed (e.g. Joomla was reinstalled)
This is a link to a demo article that requires login.
The link you see above was generated with Login Assistant backend utility.
Version 1.1 for Joomla 2.5
Version 1.2 for Joomla 3.x
When you fill in all required fields and press "Generate link" toolbar button the resulting link appears in the bottom line. Just press "Select link" button to select all text (it may be longer than it's visible part) and copy it to clipboard. Then you can paste it into an email message or as a link URL property in an article. To make sure that the link behaves as intended press the "Test link" button.
Obviously this form contains very sensitive data like username and password so the site security is an extremely important point here. The way Login Assistant component is designed your site's security is not affected too much.
The base64_encode that is used for the whole 'k' (key) var in the link's query is used as a wrapper only and has nothing to do with encryption. But both username and password are encrypted before being encoded with core JSimpleCrypt using joomla installation secret word. When a user logs in using the provided link, username and password part of the key are decrypted. (This has another effect: links created for one joomla installation will not work in another one even if a user with same credentials is registered in both installations)
On the other hand you always have an option to leave password field empty. Actually you are limited to this option if the user the link is prepared for has self-registered on your site - in this case you simply can not know his password. A link with empty password will still show a login form but the user has to enter his password before logging in. The redirection after successful login will work normally.
When you create a demo user for your site the password for this demo account is usually published in clear form so that your visitors can use it for login. If you use Login Assistant's generated link for this purpose a visitor can still login but only using the link you provide him. Demo account password will not be disclosed.