Ah, well in that case it's more like the token-activation kind of thing you see on a lot of websites, that's usually pretty secure.
In these situations always ask yourself the questions "how could somebody obtain this link?" and "if they obtain it, what can they do with it?". In your case it seems that in order for someone to abuse your system he must get the URL either through bruteforce (very, _very_ unlikely), email hack (nothing you can do about that) or browser history. In the unlikely scenario that someone obtains the URL in the first place it must also still be valid, the odds of which are severely decreased since the intended person has already clicked the URL and thus most likely responded and invalidated it. Long story short: I think you're good ;-). On May 7, 6:36 am, datgs <[email protected]> wrote: > Thanks for your comment. I would like to eplain more my situation. > > Assump that you have 2 users Officer and Approver. The Officer create > a report and send it to Approver to be accepted or denied. > > The Approver receives an URL which meantioned within the email. He > click the link: > > 1/ He can login the system without username & password > 2/ Redirect to the report detail > > I know that the apperance of this link is high risk and have warned > the Approver about ".. please keep the link in secure..". Moreover, I > have added a lifetime to reduce the risk (because when the report is > approved, the link is invalid, it looks like the URL used to activate > the user after registration). > > Please tell me what is the best solution for this? > > On May 7, 4:14 am, Elte Hupkes <[email protected]> wrote: > > > > > > > > > Yes, URLs are encrypted over SSL (incidentally the reason you used to > > be unable to host multiple domains under the same certificate - the > > server couldn't make out which domain to serve). However, I would > > consider sending private data in a URL a bad idea regardless of > > whether it's encrypted or not; it shows up in browser history for > > example, and you really want to avoid that. > > > On May 6, 8:15 pm, datgs <[email protected]> wrote: > > > > I have an URL under HTTPS. > > > >https://domain.com/privatekey/550e8400-e29b-41d4-a716-446655440000 > > > > Is the request path (privatekey/550e8400-e29b-41d4-a716-446655440000) > > > encrypted like POST or GET params? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php
