Last post Jan 25, 2019 08:30 AM by PatriceSc
Jan 24, 2019 11:16 AM|nambir|LINK
We have a product, in that after completing a course. We give a certificate after course is completed.
The certificate is a HTML/MVC page which the user can share in linkedin.
The certificate url is
If the user shares in the linkedin , any one can copy the url and can change the userid in the url and try to manipulate it.
So how i can prevent hacker/someone manuipulating userid.
Options I thought:
Option1: Generate GUID for each certificate for a user and pass it in the url. In DB table store User ID, GUID and Certificate Number.
Option2: Generate an encrypted string (or hashed value ) based on combination of UserID and Timestamp for a certificate and pass it in the url.
In DB table store User ID, Encrypted string and Certificate Number.
Please suggest the best approach i can implement.
Which one is industry standard or best practice.
Jan 24, 2019 12:56 PM|mgebhard|LINK
Use the certificate ID in the URL not the userId. Never put the userId in the URL!
Anyway, the certificate Id will fetch the certificate for a user and I assume will have the user's name etc. If you do not want other users to see the certificate then force the user to login. Then verify the certificate Id belongs to the logged in user.
Jan 25, 2019 08:19 AM|Yuki Tao|LINK
According to your descriptions,
This is still not safe.
I suggest that you can encrypt the entire information behind ？ so that the user can't see the
key and value of the parameter.
You could refer to this link:
Jan 25, 2019 08:30 AM|PatriceSc|LINK
It depends first what you want to prevent. Is this a problem if someone chosed to show the certificate for someone else on his own page ? Site publishing info about a user are using an easy to remember user name (LinkedIn or Twitter etc...) which could show
the user profile with all its certificate (he can only have one ?)
Especially for security don't do thing just because you think "it's more secure". Try to have first a basic understanding of what you are really trying to prevent.