asp.net authorization using url

Question

This question has problably been asked before, but it seems like I can't phrase my search correctly enough to find the answer.

Normally when you sign up to get access to a forum on the internet, an authorisation email is sent to you and you can click a link which leads you to a page which performs the authorisation.

What I want is to send a mail to an already created user (not logged in though), and let them accept a proposal by clicking on a link in the mail. The link ofcourse points to a page which performs the database operations and show some kind of result.

Which techniques and/or route should I take to implement this? And since this is security related, what should I watch out for?

Kind regards, Casper

Answer 1

When you send the email, generate a big random string and store it in a table with their user ID and some indication of what the link is going to do.

Then send them the email with a link to DoSomething.aspx?id=long_string_here.

Write DoSomething.aspx so that it looks up the long string and presents the user with a confirmation of what they will do and a button to do it. No logging in required. You could even leave the user logged in, if you want.

After the action is complete, or every X days, delete the string from the table.

Concerns:

1. Bad people may try hitting your page with random strings. If your strings are long enough and random enough, this won't matter, but you may want to throttle access to the page or prevent more than X requests from an IP address in an given period.
2. Aggressive spam-checkers may follow the link from the body of the email. Make sure that no operation is performed simply by accessing the page; the user should have to click a button or otherwise cause a POST.