(I'm sure I'm not the first person with this issue, but I wasn't able to find much via Google/Stack Overflow. Apologies in advance if it's a duplicate.)
My site can be used as a data source for the program Mp3tag: it accesses a page on my site, scrapes data, and uses it to tag mp3 files. I want "vip" members of my site to have access to higher-resolution artwork.
Unfortunately, Mp3tag acts like a fresh browser each time: there's no cookie/session data, and the program can't display any sort of "sign in" prompt. So my issue is that I need to [semi-]securely authenticate a user without having them sign in.
My plan is to store a simple md5 hash for each vip member, have Mp3tag include the username/hash in the url it uses to access my site, and then have the server authenticate this. (For the record, I'm using PHP/SQL.)
(Note: I don't need this to be super secure. I won't be using the hash for any kind of sign in or access to anything else on the site. The worst case scenario should be that someone manages to guess a vip member's hash, and then has access to high-res artwork―if that's the worst case, I'm ok with that.)
But will this simple hash cause security issues elsewhere? All passwords are hashed/salted, use PHP's password functions, etc., so having a separate md5 hash (that's unrelated to password) shouldn't cause any issues, right?
And secondly, is there a more secure way to do this? I guess I could add some sort of IP address checks, but that's the only other idea I had.
