Avatar of brihol44
brihol44
 asked on

Application security question to which you can invite others via email to share data.

I'm building a small application to which a user can share their music favorites (no personal info) to others. I'm a little stuck on how I can have a secure solution. I originally thought the user could enter a email address (confirm email to make sure they typed the right email) and a id or key could be assigned to the email on submit. The recipient would click on the secure link from the email with the key to a (SSL) signup page. The key would only be good for 48 hours or until the recipient signs up.

The recipient would then be able to view the others music choices and add their own. Guess, I'm just seeing what the opinions of others would be.

Thanks for any input!
Web ApplicationsSecurityWeb Languages and Standards

Avatar of undefined
Last Comment
Scott Fell

8/22/2022 - Mon
Scott Fell

Sending some type of key via email is not very secure since email can be intercepted.  As example, PCI compliance prevents merchants from receiving credit card data via email.

If all you want to do is invite others to share music, I would simply let User 1 fill in a simple form field with the email address of the person you want to share with.   On the back end, the email address (used as an ID) is associated with USER 1 for either all music or just the one song.  

USER 2 receives the email with a link to join your service and use the email as the username/ID.  Once they sign up, your back end work already has associated USER 2's email with USER 1's music.  

I would still require USER 2 to  receive an approver email after they initially signed up.
brihol44

ASKER
Thx, I did think about that but what if User 1 is a hacker or a jerk and knows a email address, first name and last name of User 2 closest friends or relatives and just fills out the form? Guess I thought this is where that key came into play as a added measure but I hear what you are saying about it being intercepted. Just haven't had the most experience with this part of app development so I'm trying to come up with a good and secure way. Maybe I would have to have a signup and "go check your email to confirm..." but isn't that the same thing I was thinking with a key?

For example MailChimp .... has a signup and then you get a email with a link to which you have to confirm from a sent email (link below is a example of their link).

http://somedomain.us7.list-manage.com/subscribe/confirm?u=55770920d4fa2cc130650b396f908&id=bec174013231&e=5fff812e5aed
ASKER CERTIFIED SOLUTION
Scott Fell

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck