What's the best way to secure a query string with Java?

By : abeger
Source: Stackoverflow.com
Question!

When a user signs up in our Struts application, we want to send them an email that includes a link to a different page. The link needs to include a unique identifier in its query string so the destination page can identify the user and react accordingly.

To improve the security of this system, I'd like to first encrypt the query string containing the identifier and second set the link to expire--after it's been used and/or after a few days.

What Java technologies/methods would you suggest I use to do this?

By : abeger


Answers

I think you can do this in a stateless way, ie without the database table others are suggesting.

  • As mtnygard suggests, make a SHA-1 hash of the URL parameters AND a secret salt string.
  • Add the hash value as a required parameter on the URL.
  • Send the URL in the email.

When the user click on the URL:

  • Verify the integrity of the URL by calculating the hash again, and comparing the calculated value to the one on the URL.

As long as you never divulge your secrete salt string, no one will be able to forge requests to the system. However, unlike the other proposals, this one does not prevent replaying an old URL. That may or may not be desirable, depending on your situation.



How are you testing in IE6? I have come across several javascript errors when you using anything but a clean install of only IE6 in conjunction with the asp.net ajax libraries. (ie. the asp.net ajax libraries don't support multiple installs of IE, or even IETester)

It is something in the IE security model that makes things go haywire when multiple version's of IE are used. You'll find that cookies won't work right either in anything but the "installed" version of IE on the system you are running.

You may also look here for some more information on multiple IE installs. If found the comments to be particularly helpful!

UPDATE I was able to dig, this up in the asp.net fourms. That's the only other thing I could find. May not be too be too helpful, but it at least sounds about like what you are hitting.



According to MSDN IE6 is supported. Make sure that the Internet Zone in the Security Zones settings are set to Medium.

By : notandy


This video can help you solving your question :)
By: admin