Hi All.

I have an activation page and i pass in the value of the activation code with the url  so querystring can pick it up. This is so that when the user enters their username and password it can check against the code and activate or not as necessary. However, what if the activation code that is picked up by querystring is incorrect for whatever reason, i was thinking that i should display like an error page telling the user that this page does not exist or something.

Any suggestions?

Hi,

If the code is incorrect, then simply display a message like "Invalid code". Also make sure that activation code is either hashed or encrypted so that users can guess the code by looking at some sample values.

HTH,

Vivek 

 Thanks. I didnt think of that. Im using a new GUID value for the activation codes that are sent out. Is that secure enough? And if i do want to hash it, SHA-5 good enoug?

SHA is good enough, and its best to hash GUIDs so that members cannot guess if its a GUID or not. 

Vivek 

 Cool. How about the stored version on the db? should i store the hashed version or the db or just hash it when the member goes on the activate page?

In DB GUIDs are fine, but hash them when they are visible publicly.

Vivek 

Hashing a GUID seems unecessary I'm not sure what you would gain from this extra step

the_web_coder:

Hashing a GUID seems unecessary I'm not sure what you would gain from this extra step

GUID is the activation code which is stored in the DB, and such fields should not be exposed publicly as per the security best practices. Thats why Yahoo (and other major websites) hash their GUIDs in the URL.

Hope this helps,

Vivek 

 I have a grid view and when you click upon one of the rows it goes to another page i.e .aspx?MemberId=5. Is this a good idea because the 5 is a value in the database also infact it reflects the primary key of the Member table. It is being exposed publicly, should i hash that also? The thing is on the load method it uses query string to find out the memberid and then gets the data for that member from the db. How can i work this?

No, you dont need to hide such PKIds because they are not a part of the "sensitive" information, like GUIDs which you are using as Activation code. Basic idea is not to give any hints whatsoever about activation codes to the end user to ensure as much security as you can possibly offer.

HTH,

Vivek 

But hashing (or actually the lookup process which follows) adds a significant overhead, and securing an activation Guid is definitely "supersecuring".