How secure is login by url?

My question is based on this one:

What are the pitfalls of logging in by url?

I mean like this:

I added some extra “security” by an unknown key and an unknown value:

The key and value can be hash, md5 or some really hard string.

My thoughts

  • Google can’t find it because I will never ever link to this url.
  • My friends can never find it because I will never give them the url.
  • No one knows I have a backdoor.
  • No one know my slug (autologin), key or value.

How is it cracked? Why is it not recommended?

I might look stupid, but I really have never been given a good answer to this question.

@lukasbestle ?

The biggest disadvantage is that once you have such a login API, it is very easy to just send the link around without thinking about it.
I have experience with that myself from a school project with a similar way to login. People started to send the links via email (which are unencrypted!), something they wouldn’t have done with username/password combinations.

Sending login URLs via email is generally fine, but there is one very important piece to this puzzle: The link must absolutely only work once. But for a way to login to your Kirby site, that’s not useful at all.

So the conclusion is: Having such a way to login is completely fine from a security standpoint as long as you are the only one who uses it by bookmarking the link etc.
Once other people get to use it, it can be pretty bad.


I think I figured out an awesome solution to the problem!


Set up a local host on an alias like http://login. It will be like portal for all sites.


Set up so you can go to the urls like this:


…or as a url list if visiting http://login

…or for some this might be easier…



When visiting http://login/ it does this:

  1. It contains the autologin url like
  2. It looks as the current time, what hour or minut it is right now.
  3. It add a secret string that matches another secret string in the config.php of the site.
  4. It put it together like ?token=13:57_my-secret-string
  5. It uses md5 on the string like ?token=c28b6f63a39c11849b521a2d1273866f
  6. All together it will be (it will be different, every minute)


  • We have a short localhost url (without parameters). It’s safer to not by mistake share the final url.
  • The generated url will only work this minute of the day.
  • With md5 no one can figure out what it is for.
  • For all not successfully logins (by a url user) it will only show the normal 404 so no one will ever know there is a backdoor.

Let me know what you think.

To make this hash secure by any means, you need to sign it, because it is very, very, very easy to just fake the MD5 hash if you know how it’s structured.

Depending on the secret string, the MD5 might even be in some rainbow tables, which means that it’s easy to extract the secret string and therefore easy to build your own hash.

You could use something like openssl_sign for the signing process. The local keyserver would sign the current date with a private key and the Kirby site would verify the resulting string using the public key. You don’t need to include a secret string when signing because the private key is the secret string.

Also make sure to include the year, month and day when signing to prevent key re-use on every following day.