SitePoint Sponsor

User Tag List

Results 1 to 5 of 5

Hybrid View

  1. #1
    SitePoint Wizard
    Join Date
    May 2002
    Posts
    1,370
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    alternatives to log on

    There are users that give feedback about the quality they receive from a prior request they've made.

    I would rather not create a username/password scheme for this, since most will only do this a single time. And they may be loose with handling their passwords.

    I've considered using other fields to logon with username = email and
    "password" = phone # or other such fields, like from a control question
    (favorite pet, car, etc) which would insert on a Feedback table, but this sounds weak.

    Anybody have better suggestions? Send a form to their email with a clickable link to insert into a Feedback table (rowid passed in email?) Or maybe in CSV format back to me that I would Insert (batch process?) using their email for a rowid match? (downsider being admin time and efforts to process)

    One challenge is that these requests they make are carried out over a period of weeks or months to fulfill and this must be complete prior to insert on any Feedback table.

  2. #2
    SitePoint Addict danfran's Avatar
    Join Date
    Jan 2005
    Location
    New York City
    Posts
    244
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    A method I always use is to assign a "SID" (security identifier), which is basically a random string of letters & numbers, to every record in the table.

    Then, when you do a mailing, give them a link to "/whatever.asp?email=abc@123.com&SID=F5Yef4WJ9

    The script "/whatever.asp" will do a lookup and attempt to match the user's email address with the SID found in the table for that particular record. If match, then show the form and allow a submission. If no match, bounce 'em!

    Even if you have not already done this, you can add the column, fill it with NULLs, then write a VBScript that will update each record with a SID. Note that SIDs don't necessarily have to be unique in your table. It's hard enough to guess a 6-digit number for lotto! I usually make the SID 8 or 10 chars, unless it is something the user must manually type.

    Case sensitivity is incorporated into the generation of the code, but you can UCASE or LCASE it just before you do the matching process. It probably won't matter unless you suspect people will tamper with the URL..

    If you have multiple instances of a particular email address, then you'll have to be a little more creative.. Possibly, you could unify the SID on a per-email basis or use a "Users" table (with unique emails) for this purpose..
    Any unique field that identifies the person in combination with SID will work.

    If you're interested in the VBScript, PM me.

    -Dan

    Code:
    function MakeSID(num)
    
    	dim i, intNum, intUpper, intLower, intRand, strPartPass
    
    	Randomize
    
            ' num = number of characters in SID
    	For i = 1 to num
    		intNum = Int(10 * Rnd + 48)
    		intUpper = Int(26 * Rnd + 65)
    		intLower = Int(26 * Rnd + 97)
    		intRand = Int(3 * Rnd + 1)
    
    		Select Case intRand
    			Case 1
    				strPartPass = Chr(intNum)
    			Case 2
    				strPartPass = Chr(intUpper)
    			Case 3
    				strPartPass = Chr(intLower)
    		End Select
    
    		MakeSID = MakeSID & strPartPass
    	Next
    		
    end function

  3. #3
    SitePoint Wizard
    Join Date
    May 2002
    Posts
    1,370
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    danfran,

    This is helpful, thank you. Luckily this is a new table.

    Couldn't I use autogenerate password on the "SID" (security identifier)column?

    The only other thing is the timing. I won't know unless one of two parties notifies me of completion of the request to send this email containing SID out. It could be sent out ahead of time of course.

    How would you feel about a SID resting in user inboxes for weeks/mo's or permanently? A risk worrying about? Seems it would be a little hard to find, unless they knew of this particular process in relation to my site. But again, this is only a user Feedback form and it could be on its own table.

    If even a "bad guy" were to get the SID, as with password, and could enter that record -- he or she would only have access to that particular row, right?
    Last edited by datadriven; Feb 15, 2005 at 13:42.

  4. #4
    SitePoint Addict danfran's Avatar
    Join Date
    Jan 2005
    Location
    New York City
    Posts
    244
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, I'm not sure which database / scripting system you are using, but "autogenerate password" isn't something in ASP or SQL Server.. (.net has this?)

    It's not a problem to expose the SID to an end-user. Remember, users must supply a password in order to check email, so there is already one line of security in-place. Tampering with the SID, as you suggest, is useless because yes, it will only match one row in that table.

    Dan

  5. #5
    SitePoint Wizard
    Join Date
    May 2002
    Posts
    1,370
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    autogenerate password would generate a unique value like "F5Yef4WJ9".

    It's php, an extension to dreamweaver mx is what I'm refering to.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •