«

My boss wants to send an email to customers with a URL that allows them
to download updates for our products.

http://download.company.com?prod={encrypted_data}

The encrypted data would contain the product ID, customer ID and a date
stamp. Our code could decrypt the info, compare against a database and
proceed based on various criteria.

I haven't done anything with encryption, so I'm not sure where to begin
on something like this. The important thing is that the encrypted value
is not sequential, it needs some form of CRC or something to verify its
integrity (to prevent people from writing a program that runs through
sequential values trying to crack the site).

Everyone on our site is written in classic ASP, so I'm looking for a
classic ASP solution. Our host provider (godaddy -- not my choice, so
please don't complain at me) does not allow us to install any third-
party components, so unfortunately, that is not an option.

Can anyone point me in the right direction?

"Dave Navarro" <> wrote in message
news: om...
>
> My boss wants to send an email to customers with a URL that allows them
> to download updates for our products.
>
> http://download.company.com?prod={encrypted_data}
>
> The encrypted data would contain the product ID, customer ID and a date
> stamp. Our code could decrypt the info, compare against a database and
> proceed based on various criteria.
>
> I haven't done anything with encryption, so I'm not sure where to begin
> on something like this. The important thing is that the encrypted value
> is not sequential, it needs some form of CRC or something to verify its
> integrity (to prevent people from writing a program that runs through
> sequential values trying to crack the site).
>
> Everyone on our site is written in classic ASP, so I'm looking for a
> classic ASP solution. Our host provider (godaddy -- not my choice, so
> please don't complain at me) does not allow us to install any third-
> party components, so unfortunately, that is not an option.
>
> Can anyone point me in the right direction?

A more secure approach is not to place any data at all in any form on the
URL.

Instead place all the data you want to associate with the URL in a database
table an use a GUID as key.

The URL you place in the email need only reference the GUID. This is many
advantages over encrypting the data. The amount of data the URL can
represent can be large yet the URL will not be very big. Its simple and
doesn't require all that mucking about with encryption algorithms. Its more
secure since there is no way to decipher the URL and no way to spoof
alternative data.


--
Anthony Jones - MVP ASP/ASP.NET

In article <>,
says...
>
> "Dave Navarro" <> wrote in message
> news: om...
> >
> > My boss wants to send an email to customers with a URL that allows them
> > to download updates for our products.
> >
> > http://download.company.com?prod={encrypted_data}
> >
> > The encrypted data would contain the product ID, customer ID and a date
> > stamp. Our code could decrypt the info, compare against a database and
> > proceed based on various criteria.
> >
> > I haven't done anything with encryption, so I'm not sure where to begin
> > on something like this. The important thing is that the encrypted value
> > is not sequential, it needs some form of CRC or something to verify its
> > integrity (to prevent people from writing a program that runs through
> > sequential values trying to crack the site).
> >
> > Everyone on our site is written in classic ASP, so I'm looking for a
> > classic ASP solution. Our host provider (godaddy -- not my choice, so
> > please don't complain at me) does not allow us to install any third-
> > party components, so unfortunately, that is not an option.
> >
> > Can anyone point me in the right direction?
>
> A more secure approach is not to place any data at all in any form on the
> URL.
>
> Instead place all the data you want to associate with the URL in a database
> table an use a GUID as key.
>
> The URL you place in the email need only reference the GUID. This is many
> advantages over encrypting the data. The amount of data the URL can
> represent can be large yet the URL will not be very big. Its simple and
> doesn't require all that mucking about with encryption algorithms. Its more
> secure since there is no way to decipher the URL and no way to spoof
> alternative data.

Hmm... thanks.

--Dave

Thanks!!

In article <>, "Jon Paal [MSMD]" <Jon
nospam Paal @ everywhere dot com> says...
> http://www.4guysfromrolla.com/webtech/010100-1.shtml
>
> "Dave Navarro" <> wrote in message news: om...
> >
> > My boss wants to send an email to customers with a URL that allows them
> > to download updates for our products.
> >
> > http://download.company.com?prod={encrypted_data}
> >
> > The encrypted data would contain the product ID, customer ID and a date
> > stamp. Our code could decrypt the info, compare against a database and
> > proceed based on various criteria.
> >
> > I haven't done anything with encryption, so I'm not sure where to begin
> > on something like this. The important thing is that the encrypted value
> > is not sequential, it needs some form of CRC or something to verify its
> > integrity (to prevent people from writing a program that runs through
> > sequential values trying to crack the site).
> >
> > Everyone on our site is written in classic ASP, so I'm looking for a
> > classic ASP solution. Our host provider (godaddy -- not my choice, so
> > please don't complain at me) does not allow us to install any third-
> > party components, so unfortunately, that is not an option.
> >
> > Can anyone point me in the right direction?