locked
GUID or Encryption for Security RRS feed

  • Question

  • User2048898515 posted

    Hi Team,

    We have a product, in that after completing a course. We give a certificate after course is completed.

    The certificate is a HTML/MVC page which the user can share in linkedin.

    The certificate url is  www.company.com/certificate?userid=1234

    Problem:

    If the user shares in the linkedin , any one can copy the url and can change the userid in the url and try to manipulate it.

    So how i can prevent hacker/someone manuipulating userid.

    Options I thought:

    Option1: Generate GUID for each certificate for a user and pass it in the url. In DB table store User ID, GUID and Certificate Number.

    www.company.com/certificate?guid=1d8412b2-cd3e-4142-a838-1b59b17f7cf6

    Option2: Generate an encrypted string (or hashed value ) based on combination of UserID and Timestamp for a certificate and pass it in the url.

    In DB table store User ID, Encrypted string and Certificate Number.

    www.company.com/certificate?Key=5666666188888899

    Please suggest the best approach i can implement.

    Which one is industry standard or best practice.

    Thursday, January 24, 2019 11:16 AM

Answers

  • User1520731567 posted

    Hi nambir,

    According to your descriptions,

    www.company.com/certificate?guid=1d8412b2-cd3e-4142-a838-1b59b17f7cf6

    www.company.com/certificate?Key=5666666188888899

    This is still not safe.

    I suggest that you can encrypt the entire information behind so that the user can't see the key and value of the parameter.

    You could refer to this link:

    https://forums.asp.net/post/6165850.aspx

    Best Regards.

    Yuki Tao

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, January 25, 2019 8:19 AM

All replies

  • User475983607 posted

    Use the certificate ID in the URL not the userId.  Never put the userId in the URL! 

    Anyway, the certificate Id will fetch the certificate for a user and I assume will have the user's name etc.  If you do not want other users to see the certificate then force the user to login.  Then verify the certificate Id belongs to the logged in user.

    Thursday, January 24, 2019 12:56 PM
  • User1520731567 posted

    Hi nambir,

    According to your descriptions,

    www.company.com/certificate?guid=1d8412b2-cd3e-4142-a838-1b59b17f7cf6

    www.company.com/certificate?Key=5666666188888899

    This is still not safe.

    I suggest that you can encrypt the entire information behind so that the user can't see the key and value of the parameter.

    You could refer to this link:

    https://forums.asp.net/post/6165850.aspx

    Best Regards.

    Yuki Tao

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, January 25, 2019 8:19 AM
  • User753101303 posted

    Hi,

    It depends first what you want to prevent. Is this a problem if someone chosed to show the certificate for someone else on his own page ? Site publishing info about a user are using an easy to remember user name (LinkedIn or Twitter etc...) which could show the user profile with all its certificate (he can only have one ?)

    Especially for security don't do thing just because you think "it's more secure". Try to have first a basic understanding of what you are really trying to prevent.

    Friday, January 25, 2019 8:30 AM