help in approach needed

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello.
I'll explain the needs first of all.

We need to send a link by email (to an existing customer) so while he press
the link
his data will show on a form which he can update.

we need to ensuare couple of things :

1) the link we sending to his email , has an id with customer ID, how to
prevent the customer from changing the id and maybee see others data ?

2) we do not want to use user_id, password mechanisim to let him log on to
the form the link redirects to, is there any other ways to ensure that the
customer
wont pass his email with his link to someone else ?

we thought of maybe instead of the link we will send small form with button
and when the user click on it we maybe can take his email from his email
client
and compare that email to the one in our DB , to ensure that he/she is right
now using the form we want. Is this possible ?

TIA for any direction
 
1) the link we sending to his email , has an id with customer ID, how to
prevent the customer from changing the id and maybee see others data ?
Click to expand...

Create a table EmailForm

CustomerID UniqueEmailID
1 33ad06ca-ed68-41a2-ab37-d95be21b590e
2 f69403f3-3083-4760-b692-965640f9d712

and send a link in the following format

Email.aspx?UniqueEmailID=f69403f3-3083-4760-b692-965640f9d712

This will ensure that the customer will accessed only own data.

Such UniqueEmailID can be generated using the System.Guid.NewGuid()
method.


2) we do not want to use user_id, password mechanisim to let him log on to
the form the link redirects to, is there any other ways to ensure that the
customer
wont pass his email with his link to someone else ?
Click to expand...

I don't think it's possible.
 
ziros said:
Hello.
I'll explain the needs first of all.

We need to send a link by email (to an existing customer) so while he
press
the link
his data will show on a form which he can update.

we need to ensuare couple of things :

1) the link we sending to his email , has an id with customer ID, how to
prevent the customer from changing the id and maybee see others data ?
Click to expand...
You can generate random ids in a sophisticated format so that it won't be
easy to guess someone else's id.
2) we do not want to use user_id, password mechanisim to let him log on
to
the form the link redirects to, is there any other ways to ensure that the
customer
wont pass his email with his link to someone else ?
Click to expand...
Did you ever see a web site granting access to sensitive data without user
authentication?

we thought of maybe instead of the link we will send small form with
button
and when the user click on it we maybe can take his email from his email
client
and compare that email to the one in our DB , to ensure that he/she is
right
now using the form we want. Is this possible ?
Click to expand...
No. The user can pick his email in many ways, from different locations or
from a web-based email with no email client in the first place.
TIA for any direction
Click to expand...



--
Eliyahu Goldin,
Software Developer & Consultant
Microsoft MVP [ASP.NET]
http://msmvps.com/blogs/egoldin
http://usableasp.net
 
I agree with Alex's solution for the first one. Other option is you can
encode user's email and pass it along with the ID in the URL and before you
save the details on the form, decode the email ID and check if the email goes
with the ID.

For the second issue, I have used the same approach except that instead of
asking for email ID, the secret question the user set up during registration
will be asked and the response will be compared with the one the user
provides when the email link is clicked.
 
Back
Top