Security Question accessing NWB page by URL

[rupertvz]

Hi  Guys,

In one of our NT apps we are sending an e-mail with a URL to a user which they can click to view information about a transaction, without having the need to login / authenticate.

This is working well as the URL is unique (GUID) and our site is SSL enabled.

If the unique identifier is removed from the URL, the record filter is cleared and nothing is displayed.
of course all the security options on this NWB have been disabled, except only serve if over SSL.

From a security point of view, is there anyway a hacker can break into the system by using this URL?
I am considering including an expiry date with the URL.

Any other considerations or suggestions?

[Bruce]

Hi Rupert,

In short, your system is ok, although it's slightly better to indirect the guid if you can.

In Secwin 7 I have a "token" table. These "tokens" are "one time use" - and are date/time limited.
The guid of the token record is passed in the url. The data record then contains the actual guid record that the person is viewing.

Cheers
Bruce

[rupertvz]

Thanks Bruce for the help.

I will bring in a token table, which holds the GUID of the record to be viewed.