> All I'm doing with it is encrypting the user's ID so they don't > see "1003" and then try to mess with it and change it to 2003 > or 134567.. all it is is the user's ID encrypted.
Hi Greg, Cameron's advice is a better approach, though if you want to continue with the URL parameters, I'd suggest using a salted hash rather than dealing with reversible encryption. Encryption keys need to be handled with care as the tiniest bit of change to them will cause problems. Trying to pass them around in URLs can be tricky, though it's possible. In your first example, I would put the key in base64 using toBase64() before putting it on the url, then convert it back using toBinary() on the receiving end rather than using URLEncode() and relying on the browser to get it right. As for a hash, you could use one URL parameter consisting of [member_id];[salted_hash_of_member_id] put into a base64-encoded string (e.g. <cfset id = toBase64(member_id & ";" & hash(member_id & "some salt value")) />. On the receiving end, convert url.id back to a string with toString(toBinary(url.id)), parse out the ID, re-generate a hash using the same salt, and compare the new hash to the one passed through. It avoids passing around encryption keys, hides the value from the user (though they could decode the base64 string if they wanted to), and provides the security you're looking for since even if they did decode the string and replace the ID, the salted hash won't match up and it would fail. Cameron's single-use token suggestion is still better in this case though, imho. -Justin ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347259 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
