Time sensitive webpage access.

Question

Is it possible to create a page that redirects to a private page if a correct time sensitive variable is passed?

Ex: http://www.mysite.com/redirectpage.aspx?code=0912042400

The code value is a year-month-day-time combination that must fall withing some time window (15 min, 30 min etc) based on the server's time.

The redirectpage would parse the code and would redirect to a private page (using an obfuscated url with the code variable) if the code is valid or show a 404.

Usage scenario:

• Party A wishes to show party B a private page.
• A sends a link to B with a code that is valid for the next 30 minutes.
• B clicks the link and is redirected to a private page.
• After 31 minutes clicking the link produces a 404 and a refresh/postback of the private page also produces a 404.

Thanks

Answer 1

As an example, in ASP.net i would cache a keyvaluepair with the code and the redirect page, and set the cache timeout to 30 mins, just a quick example, but this is very possible.

Answer 2

The one issue you are going to run into here is how easy it would be to simply change the url and view private information.

The approach I would take would be this:

1. When the private page is generated, make a new record in the database with an encrypted key, that contains the starting availible time, and the starting ending time.
2. Put this encrypted ID in the URL.
3. when the person goes to the page, look up the timestamps, make sure they are within range, then redirect them to a 404 page.

Answer 3

One way of doing it is to pass the page an encrypted time-limit as part of the query string. Something like http://www....aspx?timelimit=[encrypted]. Where [encrypted] isn't user editable. You may just need to hash the DateTime somehow.

Answer 4

Yes, you could do it that way. However, encoding the valid date range in the value passed is a security risk.

A better approach would be to generate a random code and store that code in a database along with a date range for when the code is valid.

That way there's less of an opportunity for malicious users to guess valid values.

Answer 5

This is a simple task for a database connected web appliction. The basic algorithm would be to insert a "ticket" into a database table. The ticket would be composed of a random string and a timestamp.

When a request comes in for the page, the script that generates that page can look in the ticket table to see if there is a record that matches the code passed in via the URL argument. If there is a record, the script then checks to see if the timestamp is expired. If so, generate the 404 page. Otherwise show the correct info.

There may be a pre-built content management system module or a caned script that can do this, but I don't know of one myself.

Answer 6

Yes.

One approach is to concatenate the "valid start time" with a private string known only to the server. Generate a has code (e.g. MD5 hash) based on that concatenated value. Send the "valid start time" and the hash back to the client. They pass both back in to view the page. The server re-combines the "valid start time" with the secret key, recomputes the hash, and ensures it matches the passed-in hash. If it matches, compare the passed-in time to the server time to make sure the redirect is still valid.

There is no need for a database of valid keys and what time range they pertain to with this approach. You can even add the page name for the redirect to the time to make the system completely self-contained.

Server computes:

Hash = md5("2009-12-12 10:30:00" + "MyPage.aspx" + Secret Key)

Send to client:

"2009-12-12 10:30:00" + "MyPage.aspx", Hash

Client later sends to server

"2009-12-12 10:30:00" + "MyPage.aspx", Hash

Server checks

newHash = md5("2009-12-12 10:30:00" + "MyPage.aspx" + Secret Key)
Hash == newHash?
Yes and time within window then redirect, else error.

Answer 7

Do you know ahead of time, when the X minutes will start ? Some sites have promotion codes for specific times (hours,days etc) and if you know it ahead of time you can check if the request from the client is within those times.

If you do not know it ahead of time, this is what I would do.

1. Make sure that the user given token/code is valid

2. Create a session object with the code as the session key(you can do that in asp.net, not sure about other programming languages) and the IP (or any unique string as value for that key, if behind a proxy, IP will not work, so generate a GUID and pass it as a secure cookie to the client when sending the response). This will prevent multiple users from accessing the secure resource at the same time (though not sure if this is a part of your requirement)

3. note down the first request time in the session and DB

4. You can expire the session after X minutes (http://stackoverflow.com/questions/509141/get-session-to-expire-gracefully-in-asp-net) .

5. For subsequent requests check the validity of the key(cookie) sent by the client (against the server side value) and the request time with the first request time + X minutes, If the Key & time is valid, let him access the resource, if the Key is invalid, tell the used that there is already a session in progress

6. If the user tries to access it after X minutes, (you know it from the session) send a "your page cannot be served as your X minutes has expired since visiting the page the first time" instead of sending a 404 (404 says the resource was not found and would not convey that the request time was not valid) or log him out