How to hide parameters in URLs

How to hide parameters in URLs

  
I have dropped a link into an email for the user to jump back into the application and edit something. The link clearly shows the key of the record to be edited. Some knucklehead could take that link, change the number and edit something else. How can I expose this link and somehow mask the parameter value so that it can't be messed with? Does anyone have any examples?
Hi Gerry,
you can use SEO to mask the parameter value, if you want the user to not edit something else you need to have a mapping that only allow the user to edit somethings.
doing some trics with redirects allows you to hide the parameters, because when a action ends with a redirect to another screen, the url in the browser don't change.
Best Regards,
Carlos Rocha
You should define permissions at a record level so that if he goes to an id where he isn't allowed to make changes, he can't make them.

Any other way means having a parameter that is not an id, and having to search for it in the DB. You can use encrypt/decrypt functions to hide/show the real value.
Gerry wrote:
I have dropped a link into an email for the user to jump back into the application and edit something. The link clearly shows the key of the record to be edited. Some knucklehead could take that link, change the number and edit something else. How can I expose this link and somehow mask the parameter value so that it can't be messed with? Does anyone have any examples?
 
 Hello Gerry,

as Nuno said, one of the best practices used on emails links that get user back to website and have some kind of actions that needs that parameters to be used, is to have an hashtag, remember that emails which some sites send to you asking to validate or activate your account?

All that can be done using the encrypt/decrypt functions.

cheers,
Miguel
Carlos Rocha wrote:
doing some trics with redirects allows you to hide the parameters, because when a action ends with a redirect to another screen, the url in the browser don't change.
 
 Hello Carlos,

If you do an external URL at the end of the action (instead of screen) than the parameter isn't shown anymore. To keep a valid 'external' url you can use the getEntryURL() function.

But still the encrypt/decyrpt should be used also, keep in mind that the encrypt function sometimes generate an '+' sign which isn't 'accepted' in the url so you need a encode url for the encrypted parameter.

Kind regards,
Evert
Just a quick question.....

There does not seem to be a decrypt function in my service studio (version 6.0.1.16). The encrypt function can be seen but not the decrypt function.
Any idea as to why its not available??

Thanks

Robbie
Hi, because the encrypt is 1-way only for security reasons :)


Hi all,

It's easy and quick.

Normally you have a link with Method = Navigate and this target is a URL.

You need replace this link Navigate by a link Submit. Basically you create an action and you put the Destination. Keep your crypt and decrypt actions :)
this example is to hide the parameters in browser
Hi Joost,

If the encrypt is one way, then how do you get the end result?

For eample, if you wish to pass a varibale to a web screen and encrypt the varibles (as they can be seen in the URL address bar), how you would decrypt the varibale on the receiving screen?

Robbie
Robbie,

the entreprise manager 6.0.4 have:

"
Main Features:
  • ...
  • Provides cryptography APIs (in Crypto Extension):
    • Get the MD5 hash of a text,
    • Encrypt and decrypt a text using a password.
    "

    http://www.outsystems.com/NetworkSolutions/ProjectDetail.aspx?ProjectId=64

    ;)
    Hello Gerry can speak from my experience, in my project I created a public page that handles the link for each link you send in emails I add a table in my internal link and create a GUID that serves as a key where a external person will not be able to guess it is not sequential. When the customer clicks the link goes to this page via the link GUID, is something like http://serveraddress/link.aspx?guid=23232323232323, I'll get this GUID in my table and grab the link and direct it to the page passing the parameters, when the link passes parameter is the same the difference is that the link is beyond guid parameters that are added on a RecordList and each page is about the way you need. I hope I helped.
    I think Alexandre's solution is the best: have the link contain a parameter that is only indirectly linked to your page, to avoid people guessing valid parameters. If the user must login as well, you can have a simple parameter or even none (just link the user to the right page).