encrypting inbox style
Hi all,
we have created a messaging structure for one of our sites. (i.e. a hotmail style inbox, etc)
Now we want to avoid url hacking with the view message page. To avoid this we are looking at encrypting the querystring to avoid the hacking (or another solution if you can recommend a better one).
So the user would login (the site is using auth=form) (here we would ceate an unique encryption key and store in a session??)
the user would then go to their inbox and when they click to view the whole message we will encrypt the data, pass o the view message page and decode to load it.
Can anyone provide some code (or links) for this please?
Also one problem I envisage is with the sesson variables timig out before the auth=forms does? is there any precautions I can take to completely remove this issue?
thanks in advance for the help guys.
MAtt.
we have created a messaging structure for one of our sites. (i.e. a hotmail style inbox, etc)
Now we want to avoid url hacking with the view message page. To avoid this we are looking at encrypting the querystring to avoid the hacking (or another solution if you can recommend a better one).
So the user would login (the site is using auth=form) (here we would ceate an unique encryption key and store in a session??)
the user would then go to their inbox and when they click to view the whole message we will encrypt the data, pass o the view message page and decode to load it.
Can anyone provide some code (or links) for this please?
Also one problem I envisage is with the sesson variables timig out before the auth=forms does? is there any precautions I can take to completely remove this issue?
thanks in advance for the help guys.
MAtt.
ASKER
Hi r3nder many thanks for the method
so does this method encrypt and decrypt?
so rather than encrypting and having a key we could simply encrypt and decrypt using the password for the user stored in the db?
so when the user clicks to view the new message could ou provide and example of example of using the method please?
when we enter the page with the encrytped query string we then simply use the following;
Decrypt(<pass from db>, querystring converted to stream?)
thanks again,
matt.
so does this method encrypt and decrypt?
so rather than encrypting and having a key we could simply encrypt and decrypt using the password for the user stored in the db?
so when the user clicks to view the new message could ou provide and example of example of using the method please?
when we enter the page with the encrytped query string we then simply use the following;
Decrypt(<pass from db>, querystring converted to stream?)
thanks again,
matt.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Open in new window