Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
The short version of this is that I want you to give me ideas on how to use a technique I came up with that I want to write a tip/trick on. The long version follows...
 
When you visit http://www.youtube.com/watch?v=K2cYWfq--Nw, you'll see a video for "daft hands". YouTube uses the video ID ("K2cYWfq--Nw" in this case) to identify which video to serve up. My idea is basically to attach some uniquely identifying information to that ID.
 
For example, YouTube requires you to login to view mature content. If YouTube combined the video id ("K2cYWfq--Nw") with the user ID ("AwesomezorTuber5"), they'd be able to identify both the video and the user (so the URL becomes "http://www.youtube.com/watch?v=K2cYWfq--Nw.AwesomezorTuber5"). If that entire query string value were then encrypted using a password known only to YouTube, the user would not be able to pass on the link with a modified user ID (the new URL would look like "http://www.youtube.com/watch?v=SDLKJ23lkljls234l2-lsdf23SLkg231ff119GEls" for AwesomezorTuber5 but would look like "http://www.youtube.com/watch?v=slL43lSlk4kLGJELxllf469LSDJ35l5lGi2346lhSR" or UserXtraTubeface). The user would not even know their user ID is part of the URL, and this would allow YouTube to track the originator of a video that gets passed on to others.
 
I want to make a tip/trick for this idea, but this idea is pretty useless unless I find a way to use it, so that's what I'm asking you... to provide me with some ideas for how to use this idea. I am only using YouTube as a convenient example... this idea could apply to any website that makes use of query strings. Finally, I'm not looking for one idea here... any and all ideas are welcome.
Posted 19-Dec-10 0:56am
AspDotNetDev191.5K
Comments
aspdotnetdev at 19-Dec-10 6:10am
   
To get things started, one idea is to use this as a replacement for cookies so that session can be enabled. This feature already exists, but it exposes the ID in the URL so that if the URL gets passed on to others, they appear to be on the same machine (that could cause all kinds of problems). By encrypting the session id along with some other information about the machine (e.g., ip address), it would make the URL useless to other machines that don't match the encrypted information while enabling cookie-like storage of the session ID. Still not sure if that idea is that feasible though (e.g., many computers share the same external ip address when they are inside a company).
Sandeep Mewara at 19-Dec-10 7:42am
   
Is this important/part of the plan: "to track the originator of a video that gets passed on to others"?
aspdotnetdev at 19-Dec-10 18:33pm
   
Not necessarily. That just seems like one of the possible uses.
aspdotnetdev at 19-Dec-10 23:52pm
   
Note that I'm not looking for implementation details, as that is a solved problem (http://nayyeri.net/how-to-encrypt-query-string-parameters-in-asp-net). I'm looking for ideas of how to use my idea, which is not simply encrypting query strings (it has the addition of forcing certain identifying information to be in the query string).
thatraja at 14-Jan-11 22:59pm
   
Good one dude, if possible please post a blog/Tip-Trick about this one. 5!

1 solution

Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

Just thought I'd add that I just came up with another idea (it supplements the cookie/session idea I noted in a comment above). If I include the IP address in the encrypted value, that would make it tied to that computer fairly uniquely, although not perfectly uniquely (because multiple computers behind a router can have the same IP address, so the person could IM the link to their coworker for example and the server might mix the two computers up). One way to mitigate that risk is to add the current date/time to the value. On each postback, the new date/time would be used (perhaps performing a redirect). If the date/time in the value is older than, say, 20 minutes, the server would consider it a bad request (so it would be similar to an expired session). To sum things up so far, the encrypted value would contain this information:
  • A GUID.
  • The user's IP address.
  • The current date/time (of each web request).
Maybe I could even add other unique information about the computer, such as the browser version. The more unique information, the less likely the URL can be used on another user's computer.
 
Oh, and one more idea. If I use AJAX, I can make the expiration duration even more frequent (say, every 10 seconds), because I can make asyncronous server requests periodically without interrupting the user with a full postback. The posback URL can then be modified to use the most frequent encrypted value (which would be stored in a JavaScript variable). This would make the solution even more secure (though less stable, as a temporary interruption of network availability would cause the user to have to start over).
  Permalink  

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 Kornfeld Eliyahu Peter 275
1 Maciej Los 214
2 Sergey Alexandrovich Kryukov 200
3 King Fisher 185
4 OriginalGriff 163
0 OriginalGriff 6,223
1 DamithSL 4,724
2 Maciej Los 4,196
3 Kornfeld Eliyahu Peter 3,894
4 Sergey Alexandrovich Kryukov 3,496


Advertise | Privacy | Mobile
Web03 | 2.8.141220.1 | Last Updated 15 Jan 2011
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100