- see footer for list info -<
Cheers Robin, all sounds good to me. It's always a balance when it comes
to a perceived addition to someone's workload (even just a few seconds!)
Robin Griffiths wrote:
- see footer for list info -<
Hi Damien
A system like that would make me nervous, but that's probably just me being
pessimistic. To keep it safe, I think there's a few options...
- when generating the email, generate a nice long random string
(createUUID(), maybe?), then store it in your DB with the login details,
order details etc - that way you're passing something meaningless on the
query string i.e. there's nothing for a hacker to 'decode'. Also, timestamp
the DB record and have it expire within a reasonable amount of time.
- store the IP address of the shipping company so that you can stop at least
the casual hacker from accessing the site
- block IP ranges that have more than, say, 10 aborted attempts at login
within a certain time period
All very anally retentive, I know, but if you're worried...
Cheers
Robin
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Damien Gallagher
Sent: 19 July 2006 10:26
To: Coldfusion Development
Subject: [CF-Dev] order confirmation
- see footer for list info -<
Hi all,
I have a shop system that sends out orders to a shipping company. The
shipping company need to access a webpage that contains a confirmation
note that contains all the purchaser's shipping and order details. This
webpage will be accessed via a link from an email.
They feel it will be too annoying (process-wise) to have a
username/password for this page and so the obvious problem is how do you
stop jo public (or jo hacker) from accessing someone else's personal info?
I was thinking about using a hash of certain parts of the order (eg.
purchaser's email address/order number/time of order) in the query
string to authenticate the user. Any comments on how secure this is?
Could a bot attack this and come across a valid query string to access
this data?
Thanks, Damien
_______________________________________________
For details on ALL mailing lists and for joining or leaving lists, go to
http://list.cfdeveloper.co.uk/mailman/listinfo
--
CFDeveloper Sponsors:-
- Hosting provided by www.cfmxhosting.co.uk -<
- Forum provided by www.fusetalk.com -<
- DHTML Menus provided by www.APYCOM.com -<
- Lists hosted by www.Gradwell.com -<
- CFdeveloper is run by Russ Michaels, feel free to volunteer your help -<
_______________________________________________
For details on ALL mailing lists and for joining or leaving lists, go to
http://list.cfdeveloper.co.uk/mailman/listinfo
--
CFDeveloper Sponsors:-
- Hosting provided by www.cfmxhosting.co.uk -<
- Forum provided by www.fusetalk.com -<
- DHTML Menus provided by www.APYCOM.com -<
- Lists hosted by www.Gradwell.com -<
- CFdeveloper is run by Russ Michaels, feel free to volunteer your help -<
_______________________________________________
For details on ALL mailing lists and for joining or leaving lists, go to
http://list.cfdeveloper.co.uk/mailman/listinfo
--
CFDeveloper Sponsors:-
- Hosting provided by www.cfmxhosting.co.uk -<
- Forum provided by www.fusetalk.com -<
- DHTML Menus provided by www.APYCOM.com -<
- Lists hosted by www.Gradwell.com -<
- CFdeveloper is run by Russ Michaels, feel free to volunteer your help -<
