I have a page in my ASP.NET MVC project that users should be able to access just by pressing a link (without signing in). I think I should generate some kind of access token based on the username/userId, but I'm not really sure how. Full authentication (via sign in) should be necessary for all other pages.
Clicking a link like this http://example.com/specialpage?accesstoken={accesstoken} should take them to a page without having to sign in.
The controller should decrypt the token, get the username and render the view differently based on the user.
I know that it is not 100% secure, but it should at least not be possible to guess the token just by knowing the username.
What would be the best approach to do something like this? I'm using ASP.NET MVC 5 and Identity 2.
The token could be anything, it doesn't necessarily need to contain any sensitive information such as the username.
A token works by how the server remembers it, so in this case your token could simply be a GUID which is then mapped at the server-side to a known account. The benefits of this approach are: