Encrypted URL

[Dave Navarro]

My boss wants to send an email to customers with a URL that allows them
to download updates for our products.

http://download.company.com?prod={encrypted_data}

The encrypted data would contain the product ID, customer ID and a date
stamp. Our code could decrypt the info, compare against a database and
proceed based on various criteria.

I haven't done anything with encryption, so I'm not sure where to begin
on something like this. The important thing is that the encrypted value
is not sequential, it needs some form of CRC or something to verify its
integrity (to prevent people from writing a program that runs through
sequential values trying to crack the site).

Everyone on our site is written in classic ASP, so I'm looking for a
classic ASP solution. Our host provider (godaddy -- not my choice, so
please don't complain at me) does not allow us to install any third-
party components, so unfortunately, that is not an option.

Can anyone point me in the right direction?

 

[Anthony Jones]

My boss wants to send an email to customers with a URL that allows them
to download updates for our products.

http://download.company.com?prod={encrypted_data}

The encrypted data would contain the product ID, customer ID and a date
stamp. Our code could decrypt the info, compare against a database and
proceed based on various criteria.

I haven't done anything with encryption, so I'm not sure where to begin
on something like this. The important thing is that the encrypted value
is not sequential, it needs some form of CRC or something to verify its
integrity (to prevent people from writing a program that runs through
sequential values trying to crack the site).

Everyone on our site is written in classic ASP, so I'm looking for a
classic ASP solution. Our host provider (godaddy -- not my choice, so
please don't complain at me) does not allow us to install any third-
party components, so unfortunately, that is not an option.

Can anyone point me in the right direction?

A more secure approach is not to place any data at all in any form on the
URL.

Instead place all the data you want to associate with the URL in a database
table an use a GUID as key.

The URL you place in the email need only reference the GUID. This is many
advantages over encrypting the data. The amount of data the URL can
represent can be large yet the URL will not be very big. Its simple and
doesn't require all that mucking about with encryption algorithms. Its more
secure since there is no way to decipher the URL and no way to spoof
alternative data.

 

[Dave Navarro]

A more secure approach is not to place any data at all in any form on the
URL.

Instead place all the data you want to associate with the URL in a database
table an use a GUID as key.

The URL you place in the email need only reference the GUID. This is many
advantages over encrypting the data. The amount of data the URL can
represent can be large yet the URL will not be very big. Its simple and
doesn't require all that mucking about with encryption algorithms. Its more
secure since there is no way to decipher the URL and no way to spoof
alternative data.

Hmm... thanks.

--Dave

 

[Dave Navarro]

Thanks!!

http://www.4guysfromrolla.com/webtech/010100-1.shtml

My boss wants to send an email to customers with a URL that allows them
to download updates for our products.

http://download.company.com?prod={encrypted_data}

The encrypted data would contain the product ID, customer ID and a date
stamp. Our code could decrypt the info, compare against a database and
proceed based on various criteria.

I haven't done anything with encryption, so I'm not sure where to begin
on something like this. The important thing is that the encrypted value
is not sequential, it needs some form of CRC or something to verify its
integrity (to prevent people from writing a program that runs through
sequential values trying to crack the site).

Everyone on our site is written in classic ASP, so I'm looking for a
classic ASP solution. Our host provider (godaddy -- not my choice, so
please don't complain at me) does not allow us to install any third-
party components, so unfortunately, that is not an option.

Can anyone point me in the right direction?