how secure is Querystring authentication using uniqueidentifier

[Nils N]

Hi all,

Does anyone have a best practice for performring querystring
authentication. I am now sending an email with a url to which the user
clicks to confirm his or her registration. The url contains a Guid in
the querystring, and this is validated agains the user's
uniqueidenfier in the sql server database. How secure is the
uniqueidentifer, and should I use a md5 encryption with a seed, or DES
encryption instead?

Any help greatly appreciated

Regards

Nils ([email protected])

 

[Patrice]

Someone who reads this mail knows the internal user id of the user in the
database.

I would use a temporary identifier for this *action* to avoid exposing
internal details (for example it could be the guid of a registration action
that is recorded in an action table, once the action is done, this id
becomes totally unused ; you could use the same table for other actions)...

You could also crypt but generally I would say that it's still best to avoid
exposing something rather than to have to crypt it...

At last GUIDs were previously created in sequence but it has been changed to
create unguessable sequences. You may still want to check if you run under
an old system (so that the action id can't be guessed so that a user could
easily triggers another action)...

Patrice