views:

171

answers:

6

What is considered best practice to generate a URL that is publicly accessible, but shared via a side channel, so that it is in practice private to the group sharing it?

Something like:

http://example.com/club/XX-XX-XX-XX
http://example.com/club/YY-YY-YY-YY

Where XX-XX-XX-XX shared among one group, and YY-YY-YY-YY is shared by another group. If you have one valid code, it should not be easy to guess other valid codes.

No other security is required for the URL.

+3  A: 

GUIDs are always a good choice for unique IDs and are very easy to generate (but look ugly)

Gord
A guid contains 128 bits of information. If we assume a webserver can handle 10K requests/second, a guesser would need over 1x10^27 years to try each possibility in turn. That seems excessive, so something shorter than a GUID sounds better to me.
John McAleely
A: 

Consider using Amazon S3, they have time-limited exposed URLs.

A: 

I would recommend generating a UUID. You can use Java's java.util.UUID and URLEncode/Decode its textual representation if your back-end is in Java. I'm sure there's an equivalent in .NET if you're using ASP.NET.

MattK
A: 

To generate path part of URL use some form of hash (SHA1 will do). Of course randomized. chmod the directory where files reside to 711 (rwx--x--x)

vartec
A: 

A random sequence of alphanumeric characters would do the job. Characters choosen among 26 lower case letters, 26 upper case letters and 10 numbers repeated a dozen of times should largely be enough for your need.

mouviciel
A: 

You're in a trade off between complexity and readability (or even memorability). GUID offers a 'unique' code that as has been mentioned is easy to generate however readability and memorability are low. Random character strings arbitrarily split might also offer a solution. Lastly, english words randomly chosen would be easier to memorise and communicate and would probably still offer the same level of isolation and protection.

After all, unless your users a particularly diligent and disable address history and browser history then the URL will be there for all to see who subsequently visit the machine.

Lazarus