Reputation: 5745
make a certain URL valid only for 48 hours
I have a need to make a certain URL valid only for 48 hours, This link is generated on the server and sent to the client via email.
What I thought of doing is embedding a encoded time stamp on the server.
- This time stamp of course needs to be encoded, how ever I don't want my client side to have decoding capabilities.
- Another thought is using a public encryption where the key is the user name
What are the best practices for this scenario?
Upvotes: 2
Views: 6773
Answers (4)
Reputation: 1167
This implementation is not secure to use, see my note below.
If you'd like to implement your check like @craig1231 suggested who uses your idea to "encode" a timestamp, you can use code like this:
private const string SECRET = "secret of your choice";
private string getSHA1Hash(string strToHash)
{
System.Security.Cryptography.SHA1CryptoServiceProvider sha1Obj = new System.Security.Cryptography.SHA1CryptoServiceProvider();
byte[] bytesToHash = System.Text.Encoding.Default.GetBytes(strToHash);
bytesToHash = sha1Obj.ComputeHash(bytesToHash);
string strResult = "";
foreach (byte b in bytesToHash)
{
strResult += b.ToString("x2");
}
return strResult.ToLower();
}
public bool IsValidRequest(long expiryTicks, string hash)
{
var expired = new DateTime(expiryTicks);
var toHash = expiryTicks + SECRET;
if (expired < DateTime.Now)
return false;
if (hash.ToLower() == getSHA1Hash(toHash))
return true;
return false;
}
public string GetHashForExpiryTicks(long expiryTicks)
{
var toHash = expiryTicks + SECRET;
return getSHA1Hash(toHash);
}
To generate a link you can get your hash parameter like this
var hash = GetHashForExpiryTicks(DateTime.Now.AddHours(48).Ticks);
Edit 2022: Note that this is an at least suboptimal if not insecure implementation, given this a) uses SHA1 and b) does not do proper message signing. A valid implementation would sign the expiry timestamp using a proper message signing algorithm like HMAC. For an example how to sign and verify using C# and HMAC that is secure (as of 2022-01), see for example Microsoft's docs here. Note that the example signs a file and demonstartes the relevant concepts but is not as specific to the original question as my outdated above answer was.
Upvotes: 6
Reputation: 3877
The way Amazon S3 does it is to have an expiry and a hashed parameter...
http://www.myurl.com/index.php?expire=1409140600&hash=3984cfabc
So the hashed parameter validates the URL, and the expiry parameter validates the date
Upvotes: 2
Reputation: 595
you've option to store the link and time of its creation in database. when user request that link, compare the time of creation with current time and if it is less than two days then full fill the request otherwise show some error message and delete the link from database :)
Upvotes: 1
Reputation: 15158
I would store the link in a database with an Id and an expiration date. When the user visits the link, I'll cross check the expiration date and see if it's expired.
Upvotes: 8
Related Questions
- How can I make a webpage expire after a certain date and become not accessible?
- ASP.NET Do something when time expires
- Block website for a specific time slot(maintainence activity)
- How to make a time restricted web page?
- Asp.net c# 301 redirect when page has expired
- C# ASP.NET using TimeSpan to restrict hours to log into a website
- ASP.Net C# create a cookie that expires at midnight
- Making a web site available only for a specified time
- asp.net - Disable some content during certain period of time
- executing a c# function after each 24 hours