If you are using SSL, no one can intercept the request. However, the problem would occur with the client machine however. I suspect you are considering sending usernames and passwords via this querystring, yes? It can be done but it's not really a good
idea to put username and passwords in a GET request (even encrypted), because:
1. URL can be easily copied and pasted to someone else.
2. If a user clicks an outside link, the URL will be sent as the referrer.
Is this for a password reset? If so, that's fine because generally after the password reset is used, the link is no longer valid. Can you give me more details on what this link is about?
A user will have a membership account where they use asp membership provider to login and authenticate. I want the user to be able to send an email with a link to a friend, that will allow the friend to click the link from their email message and be able
to access one page within the account holder's account.
Well, one thing to consider is when the user gets that email, the message will be sent as clear text so that link will be visible to anyone that cares to intercept it. It also means that anyone who gets that link can click it and voila, they are into that
page.
You might be able to do something where the link requires a passcode which you could include in an attached PDF on the email. I recall seeing a function that can handle this code generation in PDFSharp, but its been ages! This way the user has to open the
PDF file to get the code but that access code would not be in clear text but in a pdf file.
Its because the email that gets received by the client's mail server won't be SSL enabled but plain text. Put the access code into a PDF file and that should be secure enough.
mjta
Member
324 Points
684 Posts
SSL and query string in url
Jan 05, 2012 12:47 PM|LINK
can someone intercept this?
bbcompent1
All-Star
32996 Points
8510 Posts
Moderator
Re: SSL and query string in url
Jan 05, 2012 12:50 PM|LINK
If you are using SSL, no one can intercept the request. However, the problem would occur with the client machine however. I suspect you are considering sending usernames and passwords via this querystring, yes? It can be done but it's not really a good idea to put username and passwords in a GET request (even encrypted), because:
1. URL can be easily copied and pasted to someone else.
2. If a user clicks an outside link, the URL will be sent as the referrer.
3. XSS attacks can be used to hijack the URL.
http://stackoverflow.com/questions/753917/url-querystring-security-question-asp-net
mjta
Member
324 Points
684 Posts
Re: SSL and query string in url
Jan 05, 2012 01:46 PM|LINK
Can you suggest any ASP.NET VS solutions?
My scenario is that a user access their account by clicking a link in their email from a public machine.
bbcompent1
All-Star
32996 Points
8510 Posts
Moderator
Re: SSL and query string in url
Jan 05, 2012 01:48 PM|LINK
Is this for a password reset? If so, that's fine because generally after the password reset is used, the link is no longer valid. Can you give me more details on what this link is about?
mjta
Member
324 Points
684 Posts
Re: SSL and query string in url
Jan 05, 2012 02:31 PM|LINK
A user will have a membership account where they use asp membership provider to login and authenticate. I want the user to be able to send an email with a link to a friend, that will allow the friend to click the link from their email message and be able to access one page within the account holder's account.
bbcompent1
All-Star
32996 Points
8510 Posts
Moderator
Re: SSL and query string in url
Jan 05, 2012 02:34 PM|LINK
Well, one thing to consider is when the user gets that email, the message will be sent as clear text so that link will be visible to anyone that cares to intercept it. It also means that anyone who gets that link can click it and voila, they are into that page.
mjta
Member
324 Points
684 Posts
Re: SSL and query string in url
Jan 05, 2012 02:59 PM|LINK
with what I want to do...can you suggest a strategy?
bbcompent1
All-Star
32996 Points
8510 Posts
Moderator
Re: SSL and query string in url
Jan 05, 2012 03:05 PM|LINK
You might be able to do something where the link requires a passcode which you could include in an attached PDF on the email. I recall seeing a function that can handle this code generation in PDFSharp, but its been ages! This way the user has to open the PDF file to get the code but that access code would not be in clear text but in a pdf file.
mjta
Member
324 Points
684 Posts
Re: SSL and query string in url
Jan 05, 2012 03:37 PM|LINK
So, what if I sent a passcode in the message body of email over SSL, it can be compromised? Or, do I still need it in pdf to send it over SSL
bbcompent1
All-Star
32996 Points
8510 Posts
Moderator
Re: SSL and query string in url
Jan 05, 2012 03:38 PM|LINK
Its because the email that gets received by the client's mail server won't be SSL enabled but plain text. Put the access code into a PDF file and that should be secure enough.