0

I am building a .Net app that effectively has news articles, some of which are available publicly and some of which are only available when you're logged in.

The URL to each article needs to include the article's ID in some way and until now I've been using AES to encrypt the article ID, using the user's ID as the 'shared secret' and an 8 digit string as salt.

e.g. /article.aspx?id=EvEAAAACtp2iEc7lKyJSu6382Ryl4k571L5/PQrJYY1JJfeq4F

The problem is that if the user views an article while logged in, they won't be able to copy the URL and send it on to anyone else as it won't work with another user's ID or with a non-logged-in user.

What's the right approach for including IDs in query strings (or anywhere else for that matter) when they need to be shared among known/unknown users?

Thanks.

Improve this question
2
  • Why does the article ID have to be encrypted at all? I assume you keep track whether a user is logged in through sessions or something similar. Just check whether the user is allowed to access the article on the server side and use the article's plain ID in the URL. Commented Aug 15, 2012 at 15:16
  • Is there a concrete reason for using an encrypted article ID instead of the plain article ID in combination with a standard access control mechanism (checking if a user is logged-in and has view permission)? Commented Aug 15, 2012 at 15:18

2 Answers 2

Reset to default
1

Would it not be safer to pass the id on the query string in the clear, and have the web server check the client has sufficient credentials to read that article, and react appropriately? It could even return the relevant HTTP status code (401) to indicate that you need to log-in, or 403 to indicate that you cannot see it.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I guess this is just a general concern around exposing database IDs in the open - this would be pretty dangerous in the wrong hands, e.g. if the site was hacked. I assumed this would be best practice?
This very site exposes an id for each question (and answer, and user).
0

A common way to do this is to have a "Link" or "Share" button that generates a link that somebody can email.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.