secure hyperlink??
Moderator: General Moderators
secure hyperlink??
hey guys,
i need some advice or the best way possible..
my mail() (which i got working after yesterday, thanx guys) loops and sends out a link to the users in a table.
now i want to know the best way on how to do this with regards to the link.
it needs to be secure so only the person can open the link through the email. cant type the address in or give the address to someone else to type it in and access it.
is this possible?
thanx,
i need some advice or the best way possible..
my mail() (which i got working after yesterday, thanx guys) loops and sends out a link to the users in a table.
now i want to know the best way on how to do this with regards to the link.
it needs to be secure so only the person can open the link through the email. cant type the address in or give the address to someone else to type it in and access it.
is this possible?
thanx,
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Do you mean... you need the server to check where the link was opened from? Do u mind if I ask why... surely if it is opened from another location then the user had viewed it in the email originally.it needs to be secure so only the person can open the link through the email. cant type the address in or give the address to someone else to type it in and access it.
Don't forget one thing.... some email clients only support plain text....
hi,
no i dont mind telling you. if there is a better was of doing what i want then ill go with that!
bassically i have made a survey content mangement system for work. now when they launch the survey it sends a link to all the users.
now i only want those users to be able to open it. or view it.
i dont want them to tell someone else the link, then they go and fill it out.
i need some kind of security, i dont exactly know what can be possible.
any suggestions or if you want to know more just ask!
thanx
no i dont mind telling you. if there is a better was of doing what i want then ill go with that!
bassically i have made a survey content mangement system for work. now when they launch the survey it sends a link to all the users.
now i only want those users to be able to open it. or view it.
i dont want them to tell someone else the link, then they go and fill it out.
i need some kind of security, i dont exactly know what can be possible.
any suggestions or if you want to know more just ask!
thanx
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
If these users are on the same network, you may be able to use their known IP/network controlled username. You can match the specific user with a unique key that fits only their user (which you should reverify, potentially with multiple pieces of data). Making the survey only work once per email can help too.. but in the end, there's no universally safe system unless there are very narrow areas you can restrict the data down to.. (like knowning the user's IP ahead of time or similar things)
-
magicrobotmonkey
- Forum Regular
- Posts: 888
- Joined: Sun Mar 21, 2004 1:09 pm
- Location: Cambridge, MA
hi guys,
thanx for your replys given me alot to think about.
feyd: the users are not on the same network.
magicrobotmonkey:
i think i might go with this idea. ill send them a username and random password in the email with the link to the survey.
how can i set it up so they can only do the survey once? would i set some kind of flag in the user table once they click submit so it is recorded somewhere that they have complted it?
anyone else got anyother ideas?
magicrobotmonkey, i hope i have all this right, if there is anything i am missing would be good if you let me know!
thanx
thanx for your replys given me alot to think about.
feyd: the users are not on the same network.
magicrobotmonkey:
i think i might go with this idea. ill send them a username and random password in the email with the link to the survey.
how can i set it up so they can only do the survey once? would i set some kind of flag in the user table once they click submit so it is recorded somewhere that they have complted it?
anyone else got anyother ideas?
magicrobotmonkey, i hope i have all this right, if there is anything i am missing would be good if you let me know!
thanx
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
generate a long id.. like through uniqeid() and sha1()/md5() to generate a ~unique identifier that you store against the user's account (in regards to the survey). When the user hits the link you pass (with that identifier) you mark the survey for that user as being in use, i.e. it'll deny all further requests using that id (unless the session times out, which should be kinda short, like 15 minutes) .. once the form is submitted and verified, it should remove the id from available id's.
Understand?
Understand?
to be honest feyd, not really.
not that you didnt explain it right, just a bit over my head.
this is a big part of my system i am building so i need to do this right. it has to be just for the user with the link.
if i do it the way you explained, will i still need a username and password? or will this take its place?
thanx
not that you didnt explain it right, just a bit over my head.
this is a big part of my system i am building so i need to do this right. it has to be just for the user with the link.
if i do it the way you explained, will i still need a username and password? or will this take its place?
thanx
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
it's best to verify that it is indeed them.. it doesn't absolutely require it, but for added security (because the email could be intercepted/read by someone else) I would have them enter the information.
here's a rough example of what I was talking about (untested) ::
list creation:
do your mass mailing script where it updates the user_survey table with a new state 'waiting for page request' after each successful mail(). This can be used so you know where to restart from if and when you hit the limit of emails you can send in a batch.
When the page request comes in: match the user who logs in with the hash used, check that the record exists, and that the record is still waiting for a page request. At this time, update that record to reflect that it is in use. Display the survey. When they are finished, mark the record as dead or delete it.
How about now?
here's a rough example of what I was talking about (untested) ::
list creation:
Code: Select all
$userssql = 'SELECT `username`, `user_id` FROM `user` WHERE `somefield` = ''test me''';
$users = mysql_query($userssql) or die(mysql_error());
while($user = mysql_fetch_assoc($users))
{
list($prefix) = explode(' ', microtime());
$hash = sha1(uniqid($prefix . mt_rand(), true));
// insert the id (null), user id, generated hash, and the current state 'email not sent' (0).
$insert = 'INSERT INTO `user_survey` VALUES(NULL, ''' . $userї'user_id'] . ''', ''' . $hash . ''', ''0'')';
if(mysql_query( $insert ))
echo $userї'username'] . ' inserted.' . "\n";
else
echo $userї'username'] . ' failed to insert.' . "\n";
}When the page request comes in: match the user who logs in with the hash used, check that the record exists, and that the record is still waiting for a page request. At this time, update that record to reflect that it is in use. Display the survey. When they are finished, mark the record as dead or delete it.
How about now?