Email link with protected query string data 1

[tomouse]

Hi,

My asp/VB.net website needs to send out emails which will contain links. The links will take the recipient to a specific order that is saved on the website. I can link to the page using Request.ServerVariables("SERVER_NAME") and Request.ServerVariables("URL"). And I could add a link to the order using querystring on the end of the link (e.g. ?orderID=1593). However, the user could then see the link and perhaps change orderID value to look at some other order. What is the best way of handling this?

The only thing I can think of is that each order has some hidden, randomised code saved in the DB. We include this in the querystring instead of the ID and this then links to the order. Is this the right approach? If there is a cleverer way then I'd love to hear it! Many thanks,

Tom

 

[jmeckley]

authentication and authorization. verify the user can view/process the order before displaying the order.

here is just one example of what the code could look like

var id = getorderid();
var user = getcurrentuser();
if(user.CanView<Order>(id) == false)
{
   throw UnauthorizedAccessToOrder(user, id);
}

var order = GetOrder(id);
Display(order);

Jason Meckley
Programmer

faq855-7190
faq732-7259

 

[tomouse]

Yeah, that's way better. Thanks Jason.

 

[jbenson001]

Or you could simply encrypt the QS.