0 votes

Hi everyone,

One of my customer wants to encrypt the url of the guest pages.

For the moment it's something like this :

https://EFFICYURL/EFFICY.DLL/guest?app=MyApp&page=test.htm&propkey=2633&broch=OFF&lang=FR&param=&cont=1643C29336&type=Year&proj=0&section=main&ismode=let

With this, the next key (propkey) can easily be guessed and the contact can potentially access all the records

The idea is to use a specific encryption, the url will only be something like this :
https://EFFICYURL/EFFICY.DLL/guest?app=MyApp&page=test.htm&id=Y2F0ZWdvcnk9dGV4dGlsZSZ1c2VyPXVzZXIx

With this, I need to do a loadscript, runscript to go serverside, decrypt the id and pass client side the right parameters
But this means all the Runqueries, GetArguments,.. have to be delayed right?

Did anyone have already done something like this or do you have any advice?

Thanks,

Kind regards,
Henry

asked in Guest by (325 points)

1 Answer

+1 vote

Another simpler approach is to check server side whether or not the guest contact has access on that record identified by propkey. Throw an exception when access is forbidden. It will lead to the typical guest page error, but that's should not be an issue.

I prefer security serverside instead of obscurity

answered by (7.4k points)
1,249 questions
1,521 answers
1,859 comments
328 users