Email verifacation

[Amir Ghezelbash]

Hello every body I had a question

I am involved in a project where I need to verify the user's email
address by sending them an email and asking them to click on a link. now
I have done this but my link is human readable(example
validator.aspx?address="(e-mail address removed)") so any user can just type in
their email address into that link and it will validate it for them...
now what I want to do is to encrypt this email but most of the
encryption methods that I have searched into end up giving me a very
long strings but most professional websites that I have seen have done
this but they use a very short encrypted string.. can somebody give me
some hints on how to go about this...what is the best most professional
method to use?

btw i am coding this in asp.net 2.0 C#
thank you in advance

Awaiting your responds

 

[Patrice]

When thinking about encryption always as yourself if you need to transmit
this info...

IMO those sites are not encrypting at all. They just create a unique
impossible to guess ID and this id is included in the mail... Server side
they know the address that is tagged with this unique id is valid...

Patrice

 

[Amir Ghezelbash]

you mean a GUID ...if i do that ..then how would i know which email is
it that they are trying to validate ?

their account could have more then one email address!

i have to somehow include the email address inot the link

 

[bradley]

When the user submits their email address, and you store that address in a
table (perhaps CustomerEmail), also store the GUID in a column. Therefore,
you have a link between the GUID and a specific email address. Just be sure
to use a randomly generated id like a guid instead of sequentially generated
id, becuase it is more difficult to hack.

 

[Mythran]

When the user submits their email address, and you store that address in a
table (perhaps CustomerEmail), also store the GUID in a column. Therefore,
you have a link between the GUID and a specific email address. Just be
sure
to use a randomly generated id like a guid instead of sequentially
generated
id, becuase it is more difficult to hack.

As a sidenote, if you want small values instead of the long value GUID's
represent, you may want to look into Identity columns (incremented numeric
values).

Mythran

 

[Patrice]

Yes such as a GUID but it doesn't have (and shouldn't be IMO) the profile
GUID (to avoid giving away an information that could be used some later day
maliciously).

I was thinking rather to something like a "job id".

The whole process would be :
- the user registers a new mail address (I suppose it goes in a child table
of its profile with its own unique id)
- register in the job table a new job with its unique id and the id of the
mail address to validate
- send the validation link

When the user clicks the link :
- retrieve the id of the mail to validate from the job table
- update the address record to mark the address as validated
- delete the record from the job table

If the user is allowed to change its mail, you may want also to do the same
process so that the updated address is validated (though it could be still
the same record id in the db).

Something along these lines...

Patrice

 

[bradley]

You are right that an identity column could be stored as a much smaller
integer value. However, the problem with identity values is that they are
sequntially generated and it would be easy for the user to alter the url to
point to another record.

For example, let's assume the following URL were emailed back to the user:
validator.aspx?confirmation=457

They could edit the ID like so before submitting the link, thus validating
another unrelated user or perhaps even gaining entry to another account.
validator.aspx?confirmation=455

 

[Amir Ghezelbash]

thanks alot guys...
i have decided to go with tripleDES encryption method to encrypt the
query string and save the key in the registry so only admin can have
access to it ?

any comments?

 

[bradley]

Just out of curiosity, reply back with some examples of your encrypted
query strings.

 

[Amir Ghezelbash]

here whats my link looks like

validator.aspx?Confirmation=
+Iwq+rx0pQJeRHrGz+dnNf2T+iiG1G4/1Bv1DDwxpbk=

 

[Phillip Ian]

Seems like you're going to want to be careful of having special
characters in that string. =, /, etc...they could confuse the URL
parser in the web server.

When I did the same thing, I used a GUID and stripped the dashes out to
be safe.

 

[Mythran]

Seems like you're going to want to be careful of having special
characters in that string. =, /, etc...they could confuse the URL
parser in the web server.

When I did the same thing, I used a GUID and stripped the dashes out to
be safe.

Aye, you should use the URLEncode method to encode special characters

HTH,
Mythran

 

[Sean M]

The concern with querystrings it that the server can modify them from
underneath you since certain characters have special interpretations within
a URL. This can cause problems for algorithms like Base64-encoding

Here's some brief pseudo-code to save grief:

// encoding the string
string blah = "TEST";
Crypter crypt = new Crypter(); // not a real object -- implementation of
this is left to you
string encryptedBlah = Server.UrlEncode(crypt.Encrypt(string));

// decoding the string
Crypter crypt = new Crypter();
string decryptedBlah =
crypt.Decrypt(Server.UrlDecode(Request.QueryString["blah"]).Replace("
","+"));