-1

EDIT 1: Perhaps I wasn't very clear earlier. For the following scenario, I'd like to know the best/standard method.

I have a .NET 4 web application in which for various reasons I need to send unique links to our customers.(like password resets, invitations, acount verifications etc)

The link structure will be typically mysite/some-action?key=some-unique-value

What should I do to generate the "some-unique-value" part? Whatever the method, it shouldn't break my URL.

I found some questions on SO that came close to my need but couldn't quite nail it.
Also let me know if there is a better/standard way to implement this kind of feature. Thanks.

Devin
  • 1,755
  • 1
  • 19
  • 27
  • 1
    Can't you use a GUID? – Irvin Dominin May 19 '13 at 08:56
  • @Edward lot of people advice against the use of GUID in similar discussions in SO. So I didn't prefer them. – Devin May 19 '13 at 09:01
  • On what trust will you base the encryption and how to you plan to avoid replay attacks? You are probably of just as we'll by sending a unique key associated with some one time data in a db. Sending encrypted data in an otherwise unsafe URL (assuming this is not https) is not safe – Rune FS May 19 '13 at 09:02
  • @Devin I don't agree too much, a GUID don't break HTML and is pretty unique; you must save that the link navigation being used to prevent the reuse of link (sniffing o email reuse) – Irvin Dominin May 19 '13 at 09:06
  • Why can't you URL encode whatever unique identifier you think fits your needs? – Oded May 19 '13 at 09:06
  • @RuneFS I asked this question because I wasn't sure of how to implement this kind of feature. Encryption was one method that came to my mind first. If you know a standard way, do let me know. – Devin May 19 '13 at 09:09
  • You would have be better of asking how to accomplish a goal then rather than asking a question about one very specific approach – Rune FS May 19 '13 at 09:20
  • @RuneFS yeah my bad actually. I just edited the question. Hope it's clear now. – Devin May 19 '13 at 09:26

3 Answers3

1

Assuming you get a byte array - you can convert it to hex using:

BitConverter.ToString(bytes);

You might want to use a hash algorithm such as SHA1 instead of encryption.

ispiro
  • 26,556
  • 38
  • 136
  • 291
  • Thanks. I tried SHA256 now and it seems to fit the bill. Hope this is fairly secure and URL safe. – Devin May 19 '13 at 09:05
  • @Devin Just making sure I'm being clear: The URL-safeness is by converting to hex, that gives you only 0-9 and A-F (and "-"'s). The hash is just an idea. – ispiro May 19 '13 at 09:08
1

You can try to encrypt your query string parameters, here is a good explanation. (Source)

Community
  • 1
  • 1
Dimitar Dimitrov
  • 14,868
  • 8
  • 51
  • 79
0

Use server.UrlEncode for encoding and Server.UrlDecode for decoding

Dim Url As String = "something.aspx?" 
Url & = "key = " & Server.UrlEncode("someUniqueValue")

EDIT: You don't have to decode the url string at the server as it is automatically decoded by asp.net and decoding it a second time may cause problems especially if your original url includes a '+' which will be decoded to a space.

thunderbird
  • 2,715
  • 5
  • 27
  • 51