Assistance with URL structure for accept/decline links

Question

Hi all,

I am in the process of creating an app in which a customer can add email addresses to an event. This means that each email address is sent 2 urls via email when added to the list, 1 url to accept and the other to decline. The url is made up of a number of query parmatters, id's etc.

The issue I have is that I want to prevent the scenario in which someone could "guess" another persons url - as such guest the combination of parametters etc. While this is very unlikely, I still want to prevent such.

I have seen several scenarios to help prevent this, ie. add a hash value, encrypt the url etc. However I am looking for the most secure and best practise approach to this and would like any possible feedback.

As an aside I am coding in C# but I dont believe the solution to this is language specific.

Thanks in advance.

Answer 1

I agree this is not language specific. I had a situation very similar to this within the last few years. It needed to be extremely secure due to children and parents receiving the communications. The fastest solution was something like the following:

1. First store the information that you would use in the URL as parameters somewhere in a database. This should be relatively quick and simple.
2. Create two GUIDs.
3. Associate the first GUID with the data in the database that you would have used for processing an "acceptance".
4. Associate the second GUID for a "decline" record in the database.
5. Create the two URL's with only the GUID's as parameters.
6. If the Acceptance URL is clicked, use the database data associated with it to process the acceptance.
7. If the Decline is clicked, delete the data out of the database, or archive it, or whatever.
8. After a timeframe, is no URL is clicked, delete or archive the data associated with those GUID's so that they can no longer be used.

GUID's are extremely hard to guess, and the likelihood of guessing one that is actually usable would be so unlikely it is nearly impossible.

Answer 2

I'm guessing you are saving these email addresses somewhere. So it's quite easy to make a secure identifier for each entry you have. Whether that is a hash or some encryption technique, doesn't really matter. But I guess a hash is easier to implement and actually meant for this job.

So you hash for example the emailaddress, the PK value of the record, with the timestamp of when it was added, and some really impossible to guess salt. Just concatenate the various fields together and hash them.

In the end, you send nothing but the hashed key to the server. So when you send those two links, they could look as follows:

http://www.url.com/newsletter/acceptsubscription.aspx?id=x1r15ff2svosdf4r2s0f1
http://www.url.com/newsletter/cancelsubscription.aspx?id=x1r15ff2svosdf4r2s0f1

When the user clicks such a link, your server looks in the database for the record which contains the supplied key. Easy to implement, and really safe if done right. No way in hell someone can guess another persons key. Just bear in mind the standard things when doing something with hashing. Such as:

• Do not forget to add salt.
• Pick a really slow, and really secure, hashing algorithm.
• Just make sure that no one can figure out their own hash, from information they can possess.
• If you are really scared of people doing bad things, make sure to stop bruteforcing by adding throttle control to the website. Only allow X number of requests per minute for example. Or some form of banning on an IP-address.

I'm not an expert at these things, so there might be room for improvement. However I think this should point you in the right direction.

edit: I have to add; the solution provided by Tim C is also good. GUID's are indeed very useful for situations like these, and work effectively the same as my hashed solution above.