>- see footer for list info -< Hi Damien A system like that would make me nervous, but that's probably just me being pessimistic. To keep it safe, I think there's a few options...
- when generating the email, generate a nice long random string (createUUID(), maybe?), then store it in your DB with the login details, order details etc - that way you're passing something meaningless on the query string i.e. there's nothing for a hacker to 'decode'. Also, timestamp the DB record and have it expire within a reasonable amount of time. - store the IP address of the shipping company so that you can stop at least the casual hacker from accessing the site - block IP ranges that have more than, say, 10 aborted attempts at login within a certain time period All very anally retentive, I know, but if you're worried... Cheers Robin -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Damien Gallagher Sent: 19 July 2006 10:26 To: Coldfusion Development Subject: [CF-Dev] order confirmation >- see footer for list info -< Hi all, I have a shop system that sends out orders to a shipping company. The shipping company need to access a webpage that contains a confirmation note that contains all the purchaser's shipping and order details. This webpage will be accessed via a link from an email. They feel it will be too annoying (process-wise) to have a username/password for this page and so the obvious problem is how do you stop jo public (or jo hacker) from accessing someone else's personal info? I was thinking about using a hash of certain parts of the order (eg. purchaser's email address/order number/time of order) in the query string to authenticate the user. Any comments on how secure this is? Could a bot attack this and come across a valid query string to access this data? Thanks, Damien _______________________________________________ For details on ALL mailing lists and for joining or leaving lists, go to http://list.cfdeveloper.co.uk/mailman/listinfo -- CFDeveloper Sponsors:- >- Hosting provided by www.cfmxhosting.co.uk -< >- Forum provided by www.fusetalk.com -< >- DHTML Menus provided by www.APYCOM.com -< >- Lists hosted by www.Gradwell.com -< >- CFdeveloper is run by Russ Michaels, feel free to volunteer your help -< _______________________________________________ For details on ALL mailing lists and for joining or leaving lists, go to http://list.cfdeveloper.co.uk/mailman/listinfo -- CFDeveloper Sponsors:- >- Hosting provided by www.cfmxhosting.co.uk -< >- Forum provided by www.fusetalk.com -< >- DHTML Menus provided by www.APYCOM.com -< >- Lists hosted by www.Gradwell.com -< >- CFdeveloper is run by Russ Michaels, feel free to volunteer your help -<
