Forum OpenACS Q&A: Codified URLs

Collapse
1: Codified URLs
Posted by Rocael Hernández Rizzardini on 08/22/01 08:15 PM 
Hi!

I want to send to the users a link to visit in my website, but I also 
want to track if a specific users in clicking on that link that I've 
sent to him. 

I would like to send him a codified url
something like: 
http://www.mywebsite.com/link?
track=KJSKAJDLKJFALKJDLFJADJKFJAIE983890W

instead of a normal link like:
http://www.mywebsite.com/link?email=some@email.com&etc

My question is how I can generate that codified URL 
(KJSKAJDLKJFALKJDLFJADJKFJAIE983890W), 
using a ramdon function in TCL or PGSQL ?
wich function?

Thanks for your recommendations!
Collapse
2: Response to Codified URLs (response to 1)
Posted by Simon Buckle on 08/22/01 08:30 PM
You can use the AOLServer function ns_rand to generate the random number.
Collapse
3: Response to Codified URLs (response to 1)
Posted by Jonathan Ellis on 08/23/01 06:07 AM
Why bother with "random" at all?  If the link is to a page that doesn't require a login (if it did, just put a hook in the page to write that to your db) but you are emailing registered users, use their userid as the "key" in the url you send out.  It's already globably unique so you don't have to do any extra work...

If for some reason you're sending mail to nonregistered users whose email address you somehow acquired (legitimately, right? :) then make a new key (still no need for random numbers, just start with 1) and write an email/key pairing to a table created for that purpose.

Collapse
4: Why Codified URLs? (response to 1)
Posted by Rocael Hernández Rizzardini on 08/23/01 05:39 PM
The system that I'm working on is for recomendation of items from different modules of the OpenACS, something like "send this page".
So probably this is for sending it to non registered users by other registered or not users.

I was at a bootcamp this year at aD, and somebody taught me that is more secure to not show your data structure to everybody on the internet (specially sending email to unknown users), instead of use user_id (that's a real bad mistake) or key_id I would prefer to use nothing just a bunch of characters (KDJALKJDKFJJDLFKAJDKJFLKASDJLFJ) that are unique, so no hacker will be able to know how my data structured easy. Anyway, this is just another, possibly more elegant, way to do the things.

Collapse
5: Response to Codified URLs (response to 1)
Posted by Jonathan Ellis on 08/23/01 06:51 PM
I fail to see how sending a potential hacker his own userid (or even a temporary key id) would compromise security.  After all, what does bboard send out with notifications?  Give the man $100 if he said key ids...
Collapse
6: Response to Codified URLs (response to 1)
Posted by Jonathan Marsden on 08/23/01 08:03 PM
Surely the need for avoiding userid is that J. Random Hacker could construct and "click on" a link to

http://www.mysite.com/link?userid=1234

even if he is not user 1234 on this system (maybe he just values his privacy?!).  Likewise, using generated ids starting from one can be faked out, since every low integer ID would "work".

Using a large tracking ID such that only one in a million possible tracking IDs will actually exist, and so do anything, would be a considerable disincentive to Mr. Hacker.

All this somewhat begs the question of why it is worthwhile for Mr. Hacker to confuse mysite.com's marketing efforts... but if there is some reason why it might be worth his while, then using tracking values that are not so easily guessable sounds reasonable to me.

Collapse
7: Response to Codified URLs (response to 1)
Posted by Jonathan Ellis on 08/23/01 09:45 PM
True.  Good point.
Collapse
8: Response to Codified URLs (response to 1)
Posted by Rocael Hernández Rizzardini on 08/23/01 10:56 PM
You know Jonathan, the marketing guys really value the truth of their data, and a website value is in part in function of their DB, of course with real data, no hackers data.
Collapse
9: Response to Codified URLs (response to 1)
Posted by Rocael Hernández Rizzardini on 08/27/01 04:53 AM
here is more info on how to do that, if you want to do easy follow Eve instructions with Rob "unique" recommendation

I did Rob method....

http://www.arsdigita.com/bboard/q-and-a-fetch-msg?msg%5fid=0006I7&topic%5fid=21&topic=web%2fdb