Encrypted URL
in [ASP]
|
Prev: Betty Lavette pm3
Next: login failed for user
From: Dave Navarro on 18 Feb 2008 12:02 My boss wants to send an email to customers with a URL that allows them to download updates for our products. http://download.company.com?prod={encrypted_data} The encrypted data would contain the product ID, customer ID and a date stamp. Our code could decrypt the info, compare against a database and proceed based on various criteria. I haven't done anything with encryption, so I'm not sure where to begin on something like this. The important thing is that the encrypted value is not sequential, it needs some form of CRC or something to verify its integrity (to prevent people from writing a program that runs through sequential values trying to crack the site). Everyone on our site is written in classic ASP, so I'm looking for a classic ASP solution. Our host provider (godaddy -- not my choice, so please don't complain at me) does not allow us to install any third- party components, so unfortunately, that is not an option. Can anyone point me in the right direction?
From: "Jon Paal [MSMD]" Jon nospam Paal on 18 Feb 2008 12:21 http://www.4guysfromrolla.com/webtech/010100-1.shtml "Dave Navarro" <dave(a)no.way.dude> wrote in message news:MPG.22237634a3631996989680(a)msnews.microsoft.com... > > My boss wants to send an email to customers with a URL that allows them > to download updates for our products. > > http://download.company.com?prod={encrypted_data} > > The encrypted data would contain the product ID, customer ID and a date > stamp. Our code could decrypt the info, compare against a database and > proceed based on various criteria. > > I haven't done anything with encryption, so I'm not sure where to begin > on something like this. The important thing is that the encrypted value > is not sequential, it needs some form of CRC or something to verify its > integrity (to prevent people from writing a program that runs through > sequential values trying to crack the site). > > Everyone on our site is written in classic ASP, so I'm looking for a > classic ASP solution. Our host provider (godaddy -- not my choice, so > please don't complain at me) does not allow us to install any third- > party components, so unfortunately, that is not an option. > > Can anyone point me in the right direction?
From: McKirahan on 18 Feb 2008 14:45 "Jon Paal [MSMD]" <Jon nospam Paal @ everywhere dot com> wrote in message news:13rjfljjepjva74(a)corp.supernews.com... > http://www.4guysfromrolla.com/webtech/010100-1.shtml Here's a stripped down example: <%@ Language="VBScript" %> <!--#include file="rc4.inc"--> <% Const cTXT = "Hello World" Const cPSW = "rc4" Dim strTXT : strTXT = EnDeCrypt(cTXT,cPSW) Dim strDEC : strDEC = EnDeCrypt(strTXT,cPSW) '* Response.Write "<li><b>Unencrypted:</b> " & cTXT Response.Write "<li><b>Encrypted:</b> " & Server.UrlEncode(strTXT) Response.Write "<li><b>Decrypted:</b> " & strDEC %> Obviously, the values would not be hardcoded. Note that "rc4.inc" is missing "Dim intLength"; thus, you will get an error if you use "Option Explicit". Also, if the include:line ( <!--#include file="rc4.inc"--> ) is moved after your ASP code you may get this error: Type mismatch: 'skey' If you want it after your ASP code then just move dim key(255) to be under "Sub RC4Initialize(strPwd)".
From: Anthony Jones on 19 Feb 2008 04:17 "Dave Navarro" <dave(a)no.way.dude> wrote in message news:MPG.22237634a3631996989680(a)msnews.microsoft.com... > > My boss wants to send an email to customers with a URL that allows them > to download updates for our products. > > http://download.company.com?prod={encrypted_data} > > The encrypted data would contain the product ID, customer ID and a date > stamp. Our code could decrypt the info, compare against a database and > proceed based on various criteria. > > I haven't done anything with encryption, so I'm not sure where to begin > on something like this. The important thing is that the encrypted value > is not sequential, it needs some form of CRC or something to verify its > integrity (to prevent people from writing a program that runs through > sequential values trying to crack the site). > > Everyone on our site is written in classic ASP, so I'm looking for a > classic ASP solution. Our host provider (godaddy -- not my choice, so > please don't complain at me) does not allow us to install any third- > party components, so unfortunately, that is not an option. > > Can anyone point me in the right direction? A more secure approach is not to place any data at all in any form on the URL. Instead place all the data you want to associate with the URL in a database table an use a GUID as key. The URL you place in the email need only reference the GUID. This is many advantages over encrypting the data. The amount of data the URL can represent can be large yet the URL will not be very big. Its simple and doesn't require all that mucking about with encryption algorithms. Its more secure since there is no way to decipher the URL and no way to spoof alternative data. -- Anthony Jones - MVP ASP/ASP.NET
From: Dave Navarro on 21 Feb 2008 05:52
In article <ukiVBhtcIHA.4476(a)TK2MSFTNGP06.phx.gbl>, Ant(a)yadayadayada.com says... > > "Dave Navarro" <dave(a)no.way.dude> wrote in message > news:MPG.22237634a3631996989680(a)msnews.microsoft.com... > > > > My boss wants to send an email to customers with a URL that allows them > > to download updates for our products. > > > > http://download.company.com?prod={encrypted_data} > > > > The encrypted data would contain the product ID, customer ID and a date > > stamp. Our code could decrypt the info, compare against a database and > > proceed based on various criteria. > > > > I haven't done anything with encryption, so I'm not sure where to begin > > on something like this. The important thing is that the encrypted value > > is not sequential, it needs some form of CRC or something to verify its > > integrity (to prevent people from writing a program that runs through > > sequential values trying to crack the site). > > > > Everyone on our site is written in classic ASP, so I'm looking for a > > classic ASP solution. Our host provider (godaddy -- not my choice, so > > please don't complain at me) does not allow us to install any third- > > party components, so unfortunately, that is not an option. > > > > Can anyone point me in the right direction? > > A more secure approach is not to place any data at all in any form on the > URL. > > Instead place all the data you want to associate with the URL in a database > table an use a GUID as key. > > The URL you place in the email need only reference the GUID. This is many > advantages over encrypting the data. The amount of data the URL can > represent can be large yet the URL will not be very big. Its simple and > doesn't require all that mucking about with encryption algorithms. Its more > secure since there is no way to decipher the URL and no way to spoof > alternative data. Hmm... thanks. --Dave |