You are viewing limited content. For full access, please sign in.

Question

Question

Encrypting URLs to Public Portal

Forms
Updated October 27, 2017
asked on October 27, 2017

We have a portal that our customers use that is encrypted and has access to account info.  We want to be able to pass a URL to LF Forms with an encrypted value to start the data lookup.  

 

Example: Person logs into a website to see account info.  They see a list of available public portal forms to which they have access.  When clicking on the link, their account info is automatically populated via the account number being passed in the URL as well as backend SQL lookups.  Now the person doesn't have to fill in the info we already have in the database.

Here is the issue: We can append account number to URL, but that becomes clear text. We are using an SSL connection and logged in via SSO to their primary web content provider.  The issue with clear text is that customers can guess other account numbers and possibly gain access to other customers information.  

What is the best way to obfuscate this information and still maintain the ability to pass information from our system to forms?

0 0

Replies

replied on October 27, 2017

In lieu of no encryption option

Have you considered generating a hashcode for each user in the DB (could be a combination of ID, name, account#, random number) something that would end up being unique. Then you would pass the hashcode to the form URL which would be used for the lookup. 

It's not perfect but the average person would be highly unlike to be able to change a hashcode and make it pull up another persons info.

0 0
replied on October 27, 2017

If obfuscation is good enough, then you just need a table to map each ID over to a GUID or some such that can be used as the URL parameter. A lookup on the GUID gets you the ID, and a lookup on the ID gets your other data to prepopulate the form.

It's not really any more secure, though--a bad actor could still iterate through the GUIDs and mine data they shouldn't have access to. An approach I've used is to make the mapping records temporary, almost like a session token. Clicking the link in your portal app first creates the mapping record, then redirects to the URL. The first lookup, instead of referencing the table, uses a proc that looks up the ID and also checks that the timestamp is within some threshold.

0 0
replied on October 27, 2017

Those are both great options, but I doubt they are secure enough.  These are for banking customers who want to add forms to the backend of their online banking platforms.   Thus the need for encryption or some other way to pass SSO data to LF Forms.  @████████ can add more info on how our software integrates with SSO platforms using AES encryption.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...