Just thought I'd add that I just came up with another idea (it supplements the cookie/session idea I noted in a comment above). If I include the IP address in the encrypted value, that would make it tied to that computer fairly uniquely, although not perfectly uniquely (because multiple computers behind a router can have the same IP address, so the person could IM the link to their coworker for example and the server might mix the two computers up). One way to mitigate that risk is to add the current date/time to the value. On each postback, the new date/time would be used (perhaps performing a redirect). If the date/time in the value is older than, say, 20 minutes, the server would consider it a bad request (so it would be similar to an expired session). To sum things up so far, the encrypted value would contain this information:
- A GUID.
- The user's IP address.
- The current date/time (of each web request).
Maybe I could even add other unique information about the computer, such as the browser version. The more unique information, the less likely the URL can be used on another user's computer.