>- see footer for list info -< the problem isn't going to be bots randomly generating a uuid, it's going to be someone else reading/intercepting your emails or internet traffic, or trojan horses. An expiry date will only help a little. If the page contains credit card details, you need something more secure than an obfuscated url; the weak point is the end user and their PC.
Duncan Cumming New Media Developer Customer Relations Management / Education Fife Council 700 4105 / 01592 414105 >>> [EMAIL PROTECTED] 19/07/2006 13:01 >>> >- see footer for list info -< A GUID would take some significant brute force hack attempts to crack. Think of it like a very complicated password. Russ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Damien Gallagher Sent: 19 July 2006 10:58 To: Coldfusion Development Subject: Re: [CF-Dev] order confirmation >- see footer for list info -< Russ, I was wondering what the risk was of some program being able to come up with a valid uuid on that webpage. The expiry's a good idea as we'd only need it valid for a day or so. Damien Snake wrote: >>- see footer for list info -< >> >> >Being able to link directly to order confirmation pages is quite >normal, and it normally works like this. >Just createUUID() with each order and store it in the DB along with an >expiry date. >Now append that UUID to the link you email to the shipping company. >Verify the UUID and the expiry before displaying the confirmation page. >So only people who have that link and click it before the expiry date >will be able to get to the file. > >If you want it password protected. Just have a login page that the >shipping company only has to login once, and store a cookie, then they >can click on the links all day without having to do it again. > > >Russ > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Damien >Gallagher >Sent: 19 July 2006 10:26 >To: Coldfusion Development >Subject: [CF-Dev] order confirmation > > > >>- see footer for list info -< >> >> >Hi all, > >I have a shop system that sends out orders to a shipping company. The >shipping company need to access a webpage that contains a confirmation >note that contains all the purchaser's shipping and order details. This >webpage will be accessed via a link from an email. > >They feel it will be too annoying (process-wise) to have a >username/password for this page and so the obvious problem is how do >you stop jo public (or jo >hacker) from accessing someone else's personal info? > >I was thinking about using a hash of certain parts of the order (eg. >purchaser's email address/order number/time of order) in the query >string to authenticate the user. Any comments on how secure this is? >Could a bot attack this and come across a valid query string to access >this data? > >Thanks, Damien >_______________________________________________ > >For details on ALL mailing lists and for joining or leaving lists, go >to http://list.cfdeveloper.co.uk/mailman/listinfo > >-- >CFDeveloper Sponsors:- > > >>- Hosting provided by www.cfmxhosting.co.uk -< >>- Forum provided by www.fusetalk.com -< >>- DHTML Menus provided by www.APYCOM.com -< >>- Lists hosted by www.Gradwell.com -< >>- CFdeveloper is run by Russ Michaels, feel free to volunteer your >>help -< >> >> > > >_______________________________________________ > >For details on ALL mailing lists and for joining or leaving lists, go >to http://list.cfdeveloper.co.uk/mailman/listinfo > >-- >CFDeveloper Sponsors:- > > >>- Hosting provided by www.cfmxhosting.co.uk -< >>- Forum provided by www.fusetalk.com -< >>- DHTML Menus provided by www.APYCOM.com -< >>- Lists hosted by www.Gradwell.com -< >>- CFdeveloper is run by Russ Michaels, feel free to volunteer your >>help -< >> >> > > > > _______________________________________________ For details on ALL mailing lists and for joining or leaving lists, go to http://list.cfdeveloper.co.uk/mailman/listinfo -- CFDeveloper Sponsors:- >- Hosting provided by www.cfmxhosting.co.uk -< >- Forum provided by www.fusetalk.com -< >- DHTML Menus provided by www.APYCOM.com -< >- Lists hosted by www.Gradwell.com -< >- CFdeveloper is run by Russ Michaels, feel free to volunteer your help >-< _______________________________________________ For details on ALL mailing lists and for joining or leaving lists, go to http://list.cfdeveloper.co.uk/mailman/listinfo -- CFDeveloper Sponsors:- >- Hosting provided by www.cfmxhosting.co.uk -< >- Forum provided by www.fusetalk.com -< >- DHTML Menus provided by www.APYCOM.com -< >- Lists hosted by www.Gradwell.com -< >- CFdeveloper is run by Russ Michaels, feel free to volunteer your help -< ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed and should not be disclosed to any other party. If you have received this email in error please notify your system manager and the sender of this message. This email message has been swept for the presence of computer viruses but no guarantee is given that this e-mail message and any attachments are free from viruses. Fife Council Tel: 08451 55 00 00 ************************************************ _______________________________________________ For details on ALL mailing lists and for joining or leaving lists, go to http://list.cfdeveloper.co.uk/mailman/listinfo -- CFDeveloper Sponsors:- >- Hosting provided by www.cfmxhosting.co.uk -< >- Forum provided by www.fusetalk.com -< >- DHTML Menus provided by www.APYCOM.com -< >- Lists hosted by www.Gradwell.com -< >- CFdeveloper is run by Russ Michaels, feel free to volunteer your help -<
