?
Solved

Include a password in an href link

Posted on 2014-03-06
3
Medium Priority
?
950 Views
Last Modified: 2014-03-06
I have a chart which displays data. The primary, unique field for the table is ChartID. The first column displays city, state. The city and state link to another page which is an update form. The update form does have a password associated with it. I want the link to open a new form for the specific city,state associated with the ChartID. My SQL statement is:

 sql = "SELECT tblGeneral.ChartID, tblGeneral.City, tblGeneral.State, " & _
       "tblStaff.LNOStaffDesignation, tblStaff.StaffGenNotes, tblStaff.FTE,
      "FROM tblGeneral INNER JOIN tblStaff ON tblGeneral.ChartID= tblStaff.ChartID " & _
      "WHERE tblStaff.LNOStaffDesignation = 'In Transition' "

My display code for the link to the update form is:

      Response.Write "<TD class='CCTable' width='175px'><a target='_blank'
        href='http://vaww.MyWebSite/SiteDetails.asp?step=1&ChartID=" & objRS("ChartID")

Is there code I can use to pass the password to the SiteDetails page so it will open?
0
Comment
Question by:Malloy1446
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 33

Expert Comment

by:Big Monty
ID: 39909990
it's not a very good idea to put a password directly into a url, anybody will be able to see it.

I recommend putting the password into a cookie or session variable, while still not totally secure, is a lot more secure than having it visibly seen in a url.

If you must put it in the url, I recommend encrypting it, there a lot of asp routines out there that'll do that for you.
0
 
LVL 53

Expert Comment

by:COBOLdinosaur
ID: 39910009
You can pass the password just like any other field, and it would be just about the stupidest thing imaginable.  There is no point in using a password if you are going to expose it.  Even worse, you will give a hacker all the infprmation they need to accessyou database and totally trash it.

The proper way to do it is to use a form, a put method and an https protocol.  Sending a password as part of a link is insanity.

Cd&
0
 
LVL 53

Accepted Solution

by:
Scott Fell,  EE MVE earned 2000 total points
ID: 39910164
If the user is not already logged in and you just want to protect the page from the casual hacker, you could build your url so it is available only to the current user.

UserSession=Session.SessionID
MySecretWord="xlP28vbdQZ"
URLpass=sha256(date&UserSession&MySecretWord)

 Response.Write "<TD class='CCTable' width='175px'><a target='_blank'
        href='http://vaww.MyWebSite/SiteDetails.asp?step=1&ChartID=" & objRS("ChartID")&"&code="&URLpass

Open in new window

Then on the receiving page.
UserSession=Session.SessionID
MySecretWord="xlP28vbdQZ"
URLpass=sha256(date&UserSession&MySecretWord)
code=request.querystring("code")
If cstr(URLpass)=cstr(code) then
    ' you have a valid user
    else
    ' you do not have a valid user
end if

Open in new window

The above assumes the person that is on the page is ok to view the password protected page.  With that link generated, only the user with that session can view the 2nd page.  The session will be killed when the browser closes or if the worker process overloads and resets.  

That would not be the type of security you would want for personal information, but for showing a graph you want to keep the general public out and make it easy for your users it will work fine.

To use the sha256 hash, you have download the file I attached, changed the .txt to .asp and include it on both of your pages.  

At the top of your page you can include it like this
<!--#include virtual="/path_to/sha256.asp"-->
sha256.txt
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use these top 10 tips to master the art of email signature design. Create an email signature design that will easily wow recipients, promote your brand and highlight your professionalism.
This article demonstrates how to create a simple responsive confirmation dialog with Ok and Cancel buttons using HTML, CSS, jQuery and Promises
In this tutorial viewers will learn how to embed videos in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: "<!DOCTYPE html>": Use the <video> tag to insert a video. Define the src as the URL of your video; this is similar to …
The viewer will learn the benefit of using external CSS files and the relationship between class and ID selectors. Create your external css file by saving it as style.css then set up your style tags: (CODE) Reference the nav tag and set your prop…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question