Jeff, I like the idea of using a real piece of data (the id) and then a hash to validate that its not some random get request! That is a nice, slick, way to avoid complicated encryption or junking up the database. Thanks!
--Tom On Mon, Sep 28, 2009 at 7:47 PM, Jeff Lewis <[email protected]> wrote: > > Hey Tom, > > Instead of encrypting/decrypting some data, one typical approach to do > this type of thing is to employ (cryptographic) hashing to verify that > some requested action is valid, as well as to try and discourage > malicious request attempts. > > You could try something like: > > ### in routes: > ... > map.connect '/ > unsubscribe/:user_id/:dt/:hd', :controller=>'test', :action=>'unsubscribe' > map.connect '/ > unsubscribe/:user_id', :controller=>'test', :action=>'unsubscribe' > ... > > ### in controller: > require 'digest/sha2' > ... > > UNSUBSCRIBE_SECRET = "somelongrandomstring" > UNSUBSCRIBE_URL_PRE = "http://testapp.foo.com/unsubscribe"; > ... > > def unsubscribe > user_id = params[:user_id].to_i > dt = params[:dt].to_i > hd = params[:hd] > > # user doesn't exist in db? > if user_id < 1 or User.count(:conditions=>["id=?", user_id]) < 1 > # log it and redirect to .... > end > > # email unsubscribe link to user? > if dt < 1 or hd.blank? > dt = Time.now.to_i > hd = unsubscribe_hd(user_id, dt) > unsubscribe_url = "#{UNSUBSCRIBE_URL_PRE}/#{user_id}/#{dt}/#{hd}" > # email url to user and redirect to .... > end > > # invalid hd? > expected_hd = unsubscribe_hd(user_id, dt) > if hd != expected_hd > # log it and redirect to .... > end > > # unsubscribe the user and redirect to ... > end > ... > > protected > > def unsubscribe_hd(user_id, dt) > secret_hd = Digest::SHA256.hexdigest(UNSUBSCRIBE_SECRET) > return Digest::SHA256.hexdigest("#{user_id}#{dt}#{secret_hd}") > end > ... > > Jeff > > On Sep 28, 12:12 pm, TomRossi7 <[email protected]> wrote: > > I want to provide a link for users to unsubscribe to our newsletter. > > I don't want the actual email address to show up in the url. So I > > would like it something like /unsubscribe/wx313asdf31. What is the > > simplest method of encrypting the email to a URL compliant string? > > > > Thanks, > > Tom > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
