NetTalk Central

Author Topic: Security Question accessing NWB page by URL  (Read 3414 times)

rupertvz

  • Sr. Member
  • ****
  • Posts: 326
    • View Profile
    • Email
Security Question accessing NWB page by URL
« on: May 13, 2020, 02:08:17 AM »
Hi  Guys,

In one of our NT apps we are sending an e-mail with a URL to a user which they can click to view information about a transaction, without having the need to login / authenticate.

This is working well as the URL is unique (GUID) and our site is SSL enabled.

If the unique identifier is removed from the URL, the record filter is cleared and nothing is displayed.
of course all the security options on this NWB have been disabled, except only serve if over SSL.

From a security point of view, is there anyway a hacker can break into the system by using this URL?
I am considering including an expiry date with the URL.

Any other considerations or suggestions?


Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: Security Question accessing NWB page by URL
« Reply #1 on: May 16, 2020, 10:13:31 PM »
Hi Rupert,

In short, your system is ok, although it's slightly better to indirect the guid if you can.

In Secwin 7 I have a "token" table. These "tokens" are "one time use" - and are date/time limited.
The guid of the token record is passed in the url. The data record then contains the actual guid record that the person is viewing.

Cheers
Bruce

rupertvz

  • Sr. Member
  • ****
  • Posts: 326
    • View Profile
    • Email
Re: Security Question accessing NWB page by URL
« Reply #2 on: May 17, 2020, 10:50:38 AM »
Thanks Bruce for the help.

I will bring in a token table, which holds the GUID of the record to be viewed.