I want to provide a link for users to unsubscribe to our newsletter. I don''t want the actual email address to show up in the url. So I would like it something like /unsubscribe/wx313asdf31. What is the simplest method of encrypting the email to a URL compliant string? Thanks, Tom
It might be possible to use another key from that table (perhaps you have an ID column) and use that to unsubscribe users. Is anything like that possible? On Mon, Sep 28, 2009 at 3:12 PM, TomRossi7 <tom-5bxIUPmzHicFraO2wh7vUA@public.gmane.org> wrote:> > I want to provide a link for users to unsubscribe to our newsletter. > I don''t want the actual email address to show up in the url. So I > would like it something like /unsubscribe/wx313asdf31. What is the > simplest method of encrypting the email to a URL compliant string? > > Thanks, > Tom > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
TomRossi7 wrote:> I want to provide a link for users to unsubscribe to our newsletter. > I don''t want the actual email address to show up in the url.Why not? If you''re only sending the link to that user, there''s no security risk.> So I > would like it something like /unsubscribe/wx313asdf31. What is the > simplest method of encrypting the email to a URL compliant string?As James suggested, if you''ve already got the users stored in the DB, then just use their DB ID or a random unique string that you store in the DB. If you''re not storing e-mail addresses in the DB, then you need some sort of reversible encryption. Base64 or uuencode would also work if you don''t need high security.> > Thanks, > TomBest, -- Marnen Laibow-Koser http://www.marnen.org marnen-sbuyVjPbboAdnm+yROfE0A@public.gmane.org -- Posted via http://www.ruby-forum.com/.
1. I can''t use the actual email address because AOL will redact the address if a complaint is filed. 2. I can''t use the actual ID, because someone could have a field day unsubscribing people 3. I could store a random string in the db, but that seems like overkill Is there a simple way to obfuscate the email address? Thanks! Tom On Mon, Sep 28, 2009 at 4:18 PM, Marnen Laibow-Koser < rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > TomRossi7 wrote: > > I want to provide a link for users to unsubscribe to our newsletter. > > I don''t want the actual email address to show up in the url. > > Why not? If you''re only sending the link to that user, there''s no > security risk. > > > So I > > would like it something like /unsubscribe/wx313asdf31. What is the > > simplest method of encrypting the email to a URL compliant string? > > As James suggested, if you''ve already got the users stored in the DB, > then just use their DB ID or a random unique string that you store in > the DB. If you''re not storing e-mail addresses in the DB, then you need > some sort of reversible encryption. Base64 or uuencode would also work > if you don''t need high security. > > > > Thanks, > > Tom > > Best, > -- > Marnen Laibow-Koser > http://www.marnen.org > marnen-sbuyVjPbboAdnm+yROfE0A@public.gmane.org > -- > Posted via http://www.ruby-forum.com/. > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Tom Rossi wrote:> 1. I can''t use the actual email address because AOL will redact the > address > if a complaint is filed.Um, what? Not sure I understand.> 2. I can''t use the actual ID, because someone could have a field day > unsubscribing people > 3. I could store a random string in the db, but that seems like > overkillIt''s actually very easy to do. Heck, you could even use it as the primary key.> > Is there a simple way to obfuscate the email address?I already suggested a couple. If all you need is to make it not look like an e-mail address, though, why don''t you just replace the @ with a / or something?> > Thanks! > TomBest, -- Marnen Laibow-Koser http://www.marnen.org marnen-sbuyVjPbboAdnm+yROfE0A@public.gmane.org> > On Mon, Sep 28, 2009 at 4:18 PM, Marnen Laibow-Koser <-- Posted via http://www.ruby-forum.com/.
Hey Tom, Instead of encrypting/decrypting some data, one typical approach to do this type of thing is to employ (cryptographic) hashing to verify that some requested action is valid, as well as to try and discourage malicious request attempts. You could try something like: ### in routes: ... map.connect ''/ unsubscribe/:user_id/:dt/:hd'', :controller=>''test'', :action=>''unsubscribe'' map.connect ''/ unsubscribe/:user_id'', :controller=>''test'', :action=>''unsubscribe'' ... ### in controller: require ''digest/sha2'' ... UNSUBSCRIBE_SECRET = "somelongrandomstring" UNSUBSCRIBE_URL_PRE = "http://testapp.foo.com/unsubscribe" ... def unsubscribe user_id = params[:user_id].to_i dt = params[:dt].to_i hd = params[:hd] # user doesn''t exist in db? if user_id < 1 or User.count(:conditions=>["id=?", user_id]) < 1 # log it and redirect to .... end # email unsubscribe link to user? if dt < 1 or hd.blank? dt = Time.now.to_i hd = unsubscribe_hd(user_id, dt) unsubscribe_url = "#{UNSUBSCRIBE_URL_PRE}/#{user_id}/#{dt}/#{hd}" # email url to user and redirect to .... end # invalid hd? expected_hd = unsubscribe_hd(user_id, dt) if hd != expected_hd # log it and redirect to .... end # unsubscribe the user and redirect to ... end ... protected def unsubscribe_hd(user_id, dt) secret_hd = Digest::SHA256.hexdigest(UNSUBSCRIBE_SECRET) return Digest::SHA256.hexdigest("#{user_id}#{dt}#{secret_hd}") end ... Jeff On Sep 28, 12:12 pm, TomRossi7 <t...-5bxIUPmzHicFraO2wh7vUA@public.gmane.org> wrote:> I want to provide a link for users to unsubscribe to our newsletter. > I don''t want the actual email address to show up in the url. So I > would like it something like /unsubscribe/wx313asdf31. What is the > simplest method of encrypting the email to a URL compliant string? > > Thanks, > Tom
Jeff, I like the idea of using a real piece of data (the id) and then a hash to validate that its not some random get request! That is a nice, slick, way to avoid complicated encryption or junking up the database. Thanks! --Tom On Mon, Sep 28, 2009 at 7:47 PM, Jeff Lewis <jeff.burly-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > Hey Tom, > > Instead of encrypting/decrypting some data, one typical approach to do > this type of thing is to employ (cryptographic) hashing to verify that > some requested action is valid, as well as to try and discourage > malicious request attempts. > > You could try something like: > > ### in routes: > ... > map.connect ''/ > unsubscribe/:user_id/:dt/:hd'', :controller=>''test'', :action=>''unsubscribe'' > map.connect ''/ > unsubscribe/:user_id'', :controller=>''test'', :action=>''unsubscribe'' > ... > > ### in controller: > require ''digest/sha2'' > ... > > UNSUBSCRIBE_SECRET = "somelongrandomstring" > UNSUBSCRIBE_URL_PRE = "http://testapp.foo.com/unsubscribe" > ... > > def unsubscribe > user_id = params[:user_id].to_i > dt = params[:dt].to_i > hd = params[:hd] > > # user doesn''t exist in db? > if user_id < 1 or User.count(:conditions=>["id=?", user_id]) < 1 > # log it and redirect to .... > end > > # email unsubscribe link to user? > if dt < 1 or hd.blank? > dt = Time.now.to_i > hd = unsubscribe_hd(user_id, dt) > unsubscribe_url = "#{UNSUBSCRIBE_URL_PRE}/#{user_id}/#{dt}/#{hd}" > # email url to user and redirect to .... > end > > # invalid hd? > expected_hd = unsubscribe_hd(user_id, dt) > if hd != expected_hd > # log it and redirect to .... > end > > # unsubscribe the user and redirect to ... > end > ... > > protected > > def unsubscribe_hd(user_id, dt) > secret_hd = Digest::SHA256.hexdigest(UNSUBSCRIBE_SECRET) > return Digest::SHA256.hexdigest("#{user_id}#{dt}#{secret_hd}") > end > ... > > Jeff > > On Sep 28, 12:12 pm, TomRossi7 <t...-5bxIUPmzHicFraO2wh7vUA@public.gmane.org> wrote: > > I want to provide a link for users to unsubscribe to our newsletter. > > I don''t want the actual email address to show up in the url. So I > > would like it something like /unsubscribe/wx313asdf31. What is the > > simplest method of encrypting the email to a URL compliant string? > > > > Thanks, > > Tom > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---