locked
SSL and query string in url RRS feed

  • Question

  • User-2087919080 posted

    can someone intercept this?

    Thursday, January 5, 2012 8:47 AM

Answers

  • User-718146471 posted

    Its because the email that gets received by the client's mail server won't be SSL enabled but plain text. Put the access code into a PDF file and that should be secure enough.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, January 5, 2012 11:38 AM

All replies

  • User-718146471 posted

    If you are using SSL, no one can intercept the request. However, the problem would occur with the client machine however. I suspect you are considering sending usernames and passwords via this querystring, yes?  It can be done but it's not really a good idea to put username and passwords in a GET request (even encrypted), because:

     1. URL can be easily copied and pasted to someone else.

     2. If a user clicks an outside link, the URL will be sent as the referrer.

     3. XSS attacks can be used to hijack the URL.

    http://stackoverflow.com/questions/753917/url-querystring-security-question-asp-net

    Thursday, January 5, 2012 8:50 AM
  • User-2087919080 posted

    Can you suggest any ASP.NET VS solutions? 

    My scenario is that a user access their account by clicking a link in their email from a public machine.

    Thursday, January 5, 2012 9:46 AM
  • User-718146471 posted

    Is this for a password reset? If so, that's fine because generally after the password reset is used, the link is no longer valid. Can you give me more details on what this link is about?

    Thursday, January 5, 2012 9:48 AM
  • User-2087919080 posted

    A user will have a membership account where they use asp membership provider to login and authenticate.  I want the user to be able to send an email with a link to a friend, that will allow the friend to click the link from their email message and be able to access one page within the account holder's account.

    Thursday, January 5, 2012 10:31 AM
  • User-718146471 posted

    Well, one thing to consider is when the user gets that email, the message will be sent as clear text so that link will be visible to anyone that cares to intercept it. It also means that anyone who gets that link can click it and voila, they are into that page.

    Thursday, January 5, 2012 10:34 AM
  • User-2087919080 posted

    with what I want to do...can you suggest a strategy?

    Thursday, January 5, 2012 10:59 AM
  • User-718146471 posted

    You might be able to do something where the link requires a passcode which you could include in an attached PDF on the email. I recall seeing a function that can handle this code generation in PDFSharp, but its been ages! This way the user has to open the PDF file to get the code but that access code would not be in clear text but in a pdf file.

    Thursday, January 5, 2012 11:05 AM
  • User-2087919080 posted

    So, what if I sent a passcode in the message body of email over SSL, it can be compromised?  Or, do I still need it in pdf to send it over SSL

    Thursday, January 5, 2012 11:37 AM
  • User-718146471 posted

    Its because the email that gets received by the client's mail server won't be SSL enabled but plain text. Put the access code into a PDF file and that should be secure enough.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, January 5, 2012 11:38 AM
  • User-728859679 posted

    i suggest that you make every account have an extra field to access misc stuff like that,

    so that every account would have username/password/passkey

    the passkey can be used in the url to access special pages, but without the ability to have full control over the user's account or rest its details in anyway

    Wednesday, January 11, 2012 6:18 PM