- see footer for list info -<
Russ,
I was wondering what the risk was of some program being able to come up
with a valid uuid on that webpage. The expiry's a good idea as we'd only
need it valid for a day or so.
Damien
Snake wrote:
- see footer for list info -<
Being able to link directly to order confirmation pages is quite normal, and
it normally works like this.
Just createUUID() with each order and store it in the DB along with an
expiry date.
Now append that UUID to the link you email to the shipping company.
Verify the UUID and the expiry before displaying the confirmation page.
So only people who have that link and click it before the expiry date will
be able to get to the file.
If you want it password protected. Just have a login page that the shipping
company only has to login once, and store a cookie, then they can click on
the links all day without having to do it again.
Russ
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Damien Gallagher
Sent: 19 July 2006 10:26
To: Coldfusion Development
Subject: [CF-Dev] order confirmation
- see footer for list info -<
Hi all,
I have a shop system that sends out orders to a shipping company. The
shipping company need to access a webpage that contains a confirmation note
that contains all the purchaser's shipping and order details. This webpage
will be accessed via a link from an email.
They feel it will be too annoying (process-wise) to have a username/password
for this page and so the obvious problem is how do you stop jo public (or jo
hacker) from accessing someone else's personal info?
I was thinking about using a hash of certain parts of the order (eg.
purchaser's email address/order number/time of order) in the query string to
authenticate the user. Any comments on how secure this is?
Could a bot attack this and come across a valid query string to access this
data?
Thanks, Damien
_______________________________________________
For details on ALL mailing lists and for joining or leaving lists, go to
http://list.cfdeveloper.co.uk/mailman/listinfo
--
CFDeveloper Sponsors:-
- Hosting provided by www.cfmxhosting.co.uk -<
- Forum provided by www.fusetalk.com -<
- DHTML Menus provided by www.APYCOM.com -<
- Lists hosted by www.Gradwell.com -<
- CFdeveloper is run by Russ Michaels, feel free to volunteer your help
-<
_______________________________________________
For details on ALL mailing lists and for joining or leaving lists, go to
http://list.cfdeveloper.co.uk/mailman/listinfo
--
CFDeveloper Sponsors:-
- Hosting provided by www.cfmxhosting.co.uk -<
- Forum provided by www.fusetalk.com -<
- DHTML Menus provided by www.APYCOM.com -<
- Lists hosted by www.Gradwell.com -<
- CFdeveloper is run by Russ Michaels, feel free to volunteer your help -<
_______________________________________________
For details on ALL mailing lists and for joining or leaving lists, go to
http://list.cfdeveloper.co.uk/mailman/listinfo
--
CFDeveloper Sponsors:-
- Hosting provided by www.cfmxhosting.co.uk -<
- Forum provided by www.fusetalk.com -<
- DHTML Menus provided by www.APYCOM.com -<
- Lists hosted by www.Gradwell.com -<
- CFdeveloper is run by Russ Michaels, feel free to volunteer your help -<
