By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
458,107 Members | 1,609 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 458,107 IT Pros & Developers. It's quick & easy.

how secure is Querystring authentication using uniqueidentifier

P: n/a
Hi all,

Does anyone have a best practice for performring querystring
authentication. I am now sending an email with a url to which the user
clicks to confirm his or her registration. The url contains a Guid in
the querystring, and this is validated agains the user's
uniqueidenfier in the sql server database. How secure is the
uniqueidentifer, and should I use a md5 encryption with a seed, or DES
encryption instead?

Any help greatly appreciated

Regards

Nils (ni*****@no-spam.hotmail.com)
Nov 18 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
Someone who reads this mail knows the internal user id of the user in the
database.

I would use a temporary identifier for this *action* to avoid exposing
internal details (for example it could be the guid of a registration action
that is recorded in an action table, once the action is done, this id
becomes totally unused ; you could use the same table for other actions)...

You could also crypt but generally I would say that it's still best to avoid
exposing something rather than to have to crypt it...

At last GUIDs were previously created in sequence but it has been changed to
create unguessable sequences. You may still want to check if you run under
an old system (so that the action id can't be guessed so that a user could
easily triggers another action)...

Patrice

--

"Nils N" <ni*****@hotmail.com> a écrit dans le message de
news:84*************************@posting.google.co m...
Hi all,

Does anyone have a best practice for performring querystring
authentication. I am now sending an email with a url to which the user
clicks to confirm his or her registration. The url contains a Guid in
the querystring, and this is validated agains the user's
uniqueidenfier in the sql server database. How secure is the
uniqueidentifer, and should I use a md5 encryption with a seed, or DES
encryption instead?

Any help greatly appreciated

Regards

Nils (ni*****@no-spam.hotmail.com)

Nov 18 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.