Solved

Include a password in an href link

Posted on 2014-03-06
3
881 Views
Last Modified: 2014-03-06
I have a chart which displays data. The primary, unique field for the table is ChartID. The first column displays city, state. The city and state link to another page which is an update form. The update form does have a password associated with it. I want the link to open a new form for the specific city,state associated with the ChartID. My SQL statement is:

 sql = "SELECT tblGeneral.ChartID, tblGeneral.City, tblGeneral.State, " & _
       "tblStaff.LNOStaffDesignation, tblStaff.StaffGenNotes, tblStaff.FTE,
      "FROM tblGeneral INNER JOIN tblStaff ON tblGeneral.ChartID= tblStaff.ChartID " & _
      "WHERE tblStaff.LNOStaffDesignation = 'In Transition' "

My display code for the link to the update form is:

      Response.Write "<TD class='CCTable' width='175px'><a target='_blank'
        href='http://vaww.MyWebSite/SiteDetails.asp?step=1&ChartID=" & objRS("ChartID")

Is there code I can use to pass the password to the SiteDetails page so it will open?
0
Comment
Question by:Malloy1446
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 33

Expert Comment

by:Big Monty
ID: 39909990
it's not a very good idea to put a password directly into a url, anybody will be able to see it.

I recommend putting the password into a cookie or session variable, while still not totally secure, is a lot more secure than having it visibly seen in a url.

If you must put it in the url, I recommend encrypting it, there a lot of asp routines out there that'll do that for you.
0
 
LVL 53

Expert Comment

by:COBOLdinosaur
ID: 39910009
You can pass the password just like any other field, and it would be just about the stupidest thing imaginable.  There is no point in using a password if you are going to expose it.  Even worse, you will give a hacker all the infprmation they need to accessyou database and totally trash it.

The proper way to do it is to use a form, a put method and an https protocol.  Sending a password as part of a link is insanity.

Cd&
0
 
LVL 53

Accepted Solution

by:
Scott Fell,  EE MVE earned 500 total points
ID: 39910164
If the user is not already logged in and you just want to protect the page from the casual hacker, you could build your url so it is available only to the current user.

UserSession=Session.SessionID
MySecretWord="xlP28vbdQZ"
URLpass=sha256(date&UserSession&MySecretWord)

 Response.Write "<TD class='CCTable' width='175px'><a target='_blank'
        href='http://vaww.MyWebSite/SiteDetails.asp?step=1&ChartID=" & objRS("ChartID")&"&code="&URLpass

Open in new window

Then on the receiving page.
UserSession=Session.SessionID
MySecretWord="xlP28vbdQZ"
URLpass=sha256(date&UserSession&MySecretWord)
code=request.querystring("code")
If cstr(URLpass)=cstr(code) then
    ' you have a valid user
    else
    ' you do not have a valid user
end if

Open in new window

The above assumes the person that is on the page is ok to view the password protected page.  With that link generated, only the user with that session can view the 2nd page.  The session will be killed when the browser closes or if the worker process overloads and resets.  

That would not be the type of security you would want for personal information, but for showing a graph you want to keep the general public out and make it easy for your users it will work fine.

To use the sha256 hash, you have download the file I attached, changed the .txt to .asp and include it on both of your pages.  

At the top of your page you can include it like this
<!--#include virtual="/path_to/sha256.asp"-->
sha256.txt
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
StoredProcedure to JSON query faulty syntax 2 42
ms sql and asp dates 5 40
Compress Newid value ms sql Mssql 4 40
HTML 5 Input Type Numeric 5 31
When it comes to write a Context Sensitive Help (an online help that is obtained from a specific point in state of software to provide help with that state) ,  first we need to make the file that contains all topics, which are given exclusive IDs. …
When crafting your “Why Us” page, there are a plethora of pitfalls to avoid. Follow these five tips, and you’ll be well on your way to creating an effective page.
In this tutorial viewers will learn how to style elements, such a divs, with a "drop shadow" effect using the CSS box-shadow property Start with a normal styled element, such as a div.: In the element's style, type the box shadow property: "box-shad…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question