Last post Jan 11, 2012 06:18 PM by ray9
Jan 05, 2012 08:47 AM|mjta|LINK
can someone intercept this?
Jan 05, 2012 08:50 AM|bbcompent1|LINK
If you are using SSL, no one can intercept the request. However, the problem would occur with the client machine however. I suspect you are considering sending usernames and passwords via this querystring, yes? It can be done but it's not really a good
idea to put username and passwords in a GET request (even encrypted), because:
1. URL can be easily copied and pasted to someone else.
2. If a user clicks an outside link, the URL will be sent as the referrer.
3. XSS attacks can be used to hijack the URL.
Jan 05, 2012 09:46 AM|mjta|LINK
Can you suggest any ASP.NET VS solutions?
My scenario is that a user access their account by clicking a link in their email from a public machine.
Jan 05, 2012 09:48 AM|bbcompent1|LINK
Is this for a password reset? If so, that's fine because generally after the password reset is used, the link is no longer valid. Can you give me more details on what this link is about?
Jan 05, 2012 10:31 AM|mjta|LINK
A user will have a membership account where they use asp membership provider to login and authenticate. I want the user to be able to send an email with a link to a friend, that will allow the friend to click the link from their email message and be able
to access one page within the account holder's account.
Jan 05, 2012 10:34 AM|bbcompent1|LINK
Well, one thing to consider is when the user gets that email, the message will be sent as clear text so that link will be visible to anyone that cares to intercept it. It also means that anyone who gets that link can click it and voila, they are into that
Jan 05, 2012 10:59 AM|mjta|LINK
with what I want to do...can you suggest a strategy?
Jan 05, 2012 11:05 AM|bbcompent1|LINK
You might be able to do something where the link requires a passcode which you could include in an attached PDF on the email. I recall seeing a function that can handle this code generation in PDFSharp, but its been ages! This way the user has to open the
PDF file to get the code but that access code would not be in clear text but in a pdf file.
Jan 05, 2012 11:37 AM|mjta|LINK
So, what if I sent a passcode in the message body of email over SSL, it can be compromised? Or, do I still need it in pdf to send it over SSL
Jan 05, 2012 11:38 AM|bbcompent1|LINK
Its because the email that gets received by the client's mail server won't be SSL enabled but plain text. Put the access code into a PDF file and that should be secure enough.
Jan 11, 2012 06:18 PM|ray9|LINK
i suggest that you make every account have an extra field to access misc stuff like that,
so that every account would have username/password/passkey
the passkey can be used in the url to access special pages, but without the ability to have full control over the user's account or rest its details in anyway