>- see footer for list info -< A GUID would take some significant brute force hack attempts to crack. Think of it like a very complicated password.
Russ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Damien Gallagher Sent: 19 July 2006 10:58 To: Coldfusion Development Subject: Re: [CF-Dev] order confirmation >- see footer for list info -< Russ, I was wondering what the risk was of some program being able to come up with a valid uuid on that webpage. The expiry's a good idea as we'd only need it valid for a day or so. Damien Snake wrote: >>- see footer for list info -< >> >> >Being able to link directly to order confirmation pages is quite >normal, and it normally works like this. >Just createUUID() with each order and store it in the DB along with an >expiry date. >Now append that UUID to the link you email to the shipping company. >Verify the UUID and the expiry before displaying the confirmation page. >So only people who have that link and click it before the expiry date >will be able to get to the file. > >If you want it password protected. Just have a login page that the >shipping company only has to login once, and store a cookie, then they >can click on the links all day without having to do it again. > > >Russ > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Damien >Gallagher >Sent: 19 July 2006 10:26 >To: Coldfusion Development >Subject: [CF-Dev] order confirmation > > > >>- see footer for list info -< >> >> >Hi all, > >I have a shop system that sends out orders to a shipping company. The >shipping company need to access a webpage that contains a confirmation >note that contains all the purchaser's shipping and order details. This >webpage will be accessed via a link from an email. > >They feel it will be too annoying (process-wise) to have a >username/password for this page and so the obvious problem is how do >you stop jo public (or jo >hacker) from accessing someone else's personal info? > >I was thinking about using a hash of certain parts of the order (eg. >purchaser's email address/order number/time of order) in the query >string to authenticate the user. Any comments on how secure this is? >Could a bot attack this and come across a valid query string to access >this data? > >Thanks, Damien >_______________________________________________ > >For details on ALL mailing lists and for joining or leaving lists, go >to http://list.cfdeveloper.co.uk/mailman/listinfo > >-- >CFDeveloper Sponsors:- > > >>- Hosting provided by www.cfmxhosting.co.uk -< >>- Forum provided by www.fusetalk.com -< >>- DHTML Menus provided by www.APYCOM.com -< >>- Lists hosted by www.Gradwell.com -< >>- CFdeveloper is run by Russ Michaels, feel free to volunteer your >>help -< >> >> > > >_______________________________________________ > >For details on ALL mailing lists and for joining or leaving lists, go >to http://list.cfdeveloper.co.uk/mailman/listinfo > >-- >CFDeveloper Sponsors:- > > >>- Hosting provided by www.cfmxhosting.co.uk -< >>- Forum provided by www.fusetalk.com -< >>- DHTML Menus provided by www.APYCOM.com -< >>- Lists hosted by www.Gradwell.com -< >>- CFdeveloper is run by Russ Michaels, feel free to volunteer your >>help -< >> >> > > > > _______________________________________________ For details on ALL mailing lists and for joining or leaving lists, go to http://list.cfdeveloper.co.uk/mailman/listinfo -- CFDeveloper Sponsors:- >- Hosting provided by www.cfmxhosting.co.uk -< >- Forum provided by www.fusetalk.com -< >- DHTML Menus provided by www.APYCOM.com -< >- Lists hosted by www.Gradwell.com -< >- CFdeveloper is run by Russ Michaels, feel free to volunteer your help >-< _______________________________________________ For details on ALL mailing lists and for joining or leaving lists, go to http://list.cfdeveloper.co.uk/mailman/listinfo -- CFDeveloper Sponsors:- >- Hosting provided by www.cfmxhosting.co.uk -< >- Forum provided by www.fusetalk.com -< >- DHTML Menus provided by www.APYCOM.com -< >- Lists hosted by www.Gradwell.com -< >- CFdeveloper is run by Russ Michaels, feel free to volunteer your help -<
