Obfuscating a url

Question

I'm working on an asset management website where in whenever an asset is issued to a user the system would send an email notification with a url in it that would show the user all the assets issued to him. I could have used the query string to pass the user ID but again people could abuse it to view assets issued to other users. My client doesn't wants the user to authenticate themselves when they click on the link. So i need something that would hide the parameters being passed in the query string or at least make them obscure. I've read about url encoding, GUID etc. but i'm not sure what to do. I'm just a beginner. Please pardon my ignorance and point me in the right direction.

Answer 1

Taken what you have said, that you're just a beginner, and assuming that this will be public, you can do the easiest way:

Create a new table in your database and called for example tbl_links, as columns just add 3

user_id (foreigner key to the user table)
guid (primary key, unique)
settings (nvarchar(250)

When you need to send an email, create a new row for the user, for example:

Guid guid = Guid.New();
String settings = "date_from:2012/01/01;date_to:2013/01/01";

And insert it one the database, where the link that you put in the email, should have the guid, for example, http://domain.com/info/?g=....

You could append Json to that settings column and parse it into an object again in the code, ask a new question if you want to take this route.

I personally use a security algorithm to pass only the user_id but you did said you're a beginner, so I only showed you the easy and still valid way.

---

P.S. for security reasons, you should say in the email that your link is only valid for the next 4 hours or so you can prevent people from generating GUIDs in order to try and get some information.... Simple add a create_date column of type datetime and use that to see if the link already expired or not...

Answer 2

What you can do is to add some prefix and suffix to the id and the encrypt that string. Something like this:

static public string EncodeTo64(string toEncode)
{
  byte[] toEncodeAsBytes
        = System.Text.ASCIIEncoding.ASCII.GetBytes(toEncode);
  string returnValue
        = System.Convert.ToBase64String(toEncodeAsBytes);
  return returnValue;
}

static public string DecodeFrom64(string encodedData)
{
  byte[] encodedDataAsBytes
      = System.Convert.FromBase64String(encodedData);
  string returnValue =
     System.Text.ASCIIEncoding.ASCII.GetString(encodedDataAsBytes);
  return returnValue;
}

string prefix = "lhdsjñsdgñdfj";
string suffix  = "dfknsfñn3ih";

var strToEncode = prefix + "|" + id + "|" + suffix;
var encoded =  EncodeTo64(str);

var decoded = DecodeFrom64(encoded).Split('|');

if( decoded.length != 3 || decoded[0] != prefix || decoded[2] != suffix )
    throw new InvalidArgumentException("id");

var decodedId = decoded[1];

Answer 3

Trying to secure access to a URL is not the right approach. Give the urls away freely and authenticate your users instead.

I would also highly recommend using SSL for serving up this data.

Security through obscurity fails 100% of the time once the obscurity is not longer obscure.

Answer 4

For obscuring URL parameters, you want to use a modified Base64 encoding. Please keep in mind that obscurity is not security, and Base64 encoding something does not in any way make anything secure.

If you're intending to use this for authentication purposes, I think you should reconsider. Look into public key encryption and digital signatures as a starting point.