Include a password in an href link

I have a chart which displays data. The primary, unique field for the table is ChartID. The first column displays city, state. The city and state link to another page which is an update form. The update form does have a password associated with it. I want the link to open a new form for the specific city,state associated with the ChartID. My SQL statement is:

 sql = "SELECT tblGeneral.ChartID, tblGeneral.City, tblGeneral.State, " & _
       "tblStaff.LNOStaffDesignation, tblStaff.StaffGenNotes, tblStaff.FTE,
      "FROM tblGeneral INNER JOIN tblStaff ON tblGeneral.ChartID= tblStaff.ChartID " & _
      "WHERE tblStaff.LNOStaffDesignation = 'In Transition' "

My display code for the link to the update form is:

      Response.Write "<TD class='CCTable' width='175px'><a target='_blank'
        href='http://vaww.MyWebSite/SiteDetails.asp?step=1&ChartID=" & objRS("ChartID")

Is there code I can use to pass the password to the SiteDetails page so it will open?
Malloy1446Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Big MontyWeb Ninja at largeCommented:
it's not a very good idea to put a password directly into a url, anybody will be able to see it.

I recommend putting the password into a cookie or session variable, while still not totally secure, is a lot more secure than having it visibly seen in a url.

If you must put it in the url, I recommend encrypting it, there a lot of asp routines out there that'll do that for you.
0
COBOLdinosaurCommented:
You can pass the password just like any other field, and it would be just about the stupidest thing imaginable.  There is no point in using a password if you are going to expose it.  Even worse, you will give a hacker all the infprmation they need to accessyou database and totally trash it.

The proper way to do it is to use a form, a put method and an https protocol.  Sending a password as part of a link is insanity.

Cd&
0
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
If the user is not already logged in and you just want to protect the page from the casual hacker, you could build your url so it is available only to the current user.

UserSession=Session.SessionID
MySecretWord="xlP28vbdQZ"
URLpass=sha256(date&UserSession&MySecretWord)

 Response.Write "<TD class='CCTable' width='175px'><a target='_blank'
        href='http://vaww.MyWebSite/SiteDetails.asp?step=1&ChartID=" & objRS("ChartID")&"&code="&URLpass

Open in new window

Then on the receiving page.
UserSession=Session.SessionID
MySecretWord="xlP28vbdQZ"
URLpass=sha256(date&UserSession&MySecretWord)
code=request.querystring("code")
If cstr(URLpass)=cstr(code) then
    ' you have a valid user
    else
    ' you do not have a valid user
end if

Open in new window

The above assumes the person that is on the page is ok to view the password protected page.  With that link generated, only the user with that session can view the 2nd page.  The session will be killed when the browser closes or if the worker process overloads and resets.  

That would not be the type of security you would want for personal information, but for showing a graph you want to keep the general public out and make it easy for your users it will work fine.

To use the sha256 hash, you have download the file I attached, changed the .txt to .asp and include it on both of your pages.  

At the top of your page you can include it like this
<!--#include virtual="/path_to/sha256.asp"-->
sha256.txt
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
HTML

From novice to tech pro — start learning today.