Web Design Forums

tejssidhu · 17-07-2006, 13:05

Hi

Wasn't sure which forum to put this in so thought I'd put it in this one.

Basically I have a SQL DB which has a table of users. These users receive customised emails that are created using a VB.NET app. These emails contain links to our website (some of which require the user to first log in).

I am wondering if you guys know of a way to implement a fairly secure method of allowing this. We (as a company) dont store anything tooo serious about users (i.e. we are not an ecommerce site), however we do hold quite a bit of personal information (like stuff u would find on a CV).

I have one method in mind but am not sure of the advantages + disadvantages of this. This method requires a GUID to be created for each user and this be sent in the email as part of the link. When the link is clicked the page on our side checks to see if the GUID in the link matches the GUID in the db for that particular user.

Do you guys have any other ideas or any better methods?

Thanks in advance.

MikeMackay · 17-07-2006, 14:54

Hi and welcome to the forum.

I, personally, would advise against using the method you outlined as it offers a major security flaw; what if that link was forwarded or shared with another user ? By including the users ID in the link you are allowing anyone to access the "restricted" content.

A better solution would be to send a standard link to the viewable content but to password protected it so the users will have to log in to view it (as you say you alreay have running). After they have logged in once, you could store a cookie on their system containing a Session ID (which is also stored in a Sessions table in a database). For any further content that needs to be viewed, the content page would check to see if the Session cookie exists, if it does you could validate its authenticity and then display the content if everything is ok. If the cookie is not there or the validation fails, then the user will need to log in.

This method forms the general mechanics of user logins by combining session state management with user authentication. Many web sites use this method. Of course, it requires that each user has cookies enabled in their browser. Google for further information on session state management, there will be a ton of documentation out there that will help you get a clear picture of how it works on the back-end.

If you have any further questions then get posting and we'll see if we can help you out.

- Mike

17-07-2006, 13:05	#1 (permalink)
tejssidhu Registered User Join Date: Jul 2006 Posts: 1	Implement 1click sign in Hi Wasn't sure which forum to put this in so thought I'd put it in this one. Basically I have a SQL DB which has a table of users. These users receive customised emails that are created using a VB.NET app. These emails contain links to our website (some of which require the user to first log in). I am wondering if you guys know of a way to implement a fairly secure method of allowing this. We (as a company) dont store anything tooo serious about users (i.e. we are not an ecommerce site), however we do hold quite a bit of personal information (like stuff u would find on a CV). I have one method in mind but am not sure of the advantages + disadvantages of this. This method requires a GUID to be created for each user and this be sent in the email as part of the link. When the link is clicked the page on our side checks to see if the GUID in the link matches the GUID in the db for that particular user. Do you guys have any other ideas or any better methods? Thanks in advance.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

17-07-2006, 14:54	#2 (permalink)
MikeMackay Everything is fine. Join Date: Feb 2005 Location: Witham & London Posts: 828	Hi and welcome to the forum. I, personally, would advise against using the method you outlined as it offers a major security flaw; what if that link was forwarded or shared with another user ? By including the users ID in the link you are allowing anyone to access the "restricted" content. A better solution would be to send a standard link to the viewable content but to password protected it so the users will have to log in to view it (as you say you alreay have running). After they have logged in once, you could store a cookie on their system containing a Session ID (which is also stored in a Sessions table in a database). For any further content that needs to be viewed, the content page would check to see if the Session cookie exists, if it does you could validate its authenticity and then display the content if everything is ok. If the cookie is not there or the validation fails, then the user will need to log in. This method forms the general mechanics of user logins by combining session state management with user authentication. Many web sites use this method. Of course, it requires that each user has cookies enabled in their browser. Google for further information on session state management, there will be a ton of documentation out there that will help you get a clear picture of how it works on the back-end. If you have any further questions then get posting and we'll see if we can help you out. - Mike

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)