Security when exposing user information

Question

I am currently building an ecommerce website using ASP .Net MVC3. At the end of the checkout process, I have a view which displays a summary of the order including the customer's contact details (Name, Email, Address, Contact #, etc).

I am using a GUID in the query string which is used to retrieve the information from the DB and display it on the page (eg, www.site.com/Checkout/Complete?ID={GUID}). Is this considered bad practice in terms of security? Someone would need to guess the GUID to access any customer information, which seems just about impossible. Should I be going to the additional effort of authenticating the user before displaying the information?

Many thanks

Answer 1

The user should be authenticated and your code should check if the current logged in user has access to that information.

Answer 2

The GUID itself is extremely hard to guess or brute-force. There are two to the power of 125 possible GUIDs (not 2^128, as some bits have fixed meaning).

Larger concerns would be

• Many browsers expose browser history (see here or here or here) to unrelated pages.
• If the user bookmarks the checkout page, his special GUID can be retrieved from the bookmarks.
• Man-in-the-middle attacks (though presumably you're using SSL at this point, so less of an issue).

If the purpose is to allow someone to link back to an order they had previously placed, I would allow the GUID to pre-populate the User Name for convenience, but still require the password.

If this is happening during a browsing session and for some reason you need a GUID (can't you store that information in the user's session?), I would tend to create a one-time GUID for that purpose, rather than have the user's Unique ID exposed. Map the one-time GUID to the user's actual Unique ID in server code (could be a salted hash of the real GUID, or could be mapped in a mapping table).