I have a web application ( order system ) which is going to send an e-mail to a confirmer each time an order is going to be approved/rejected.
To avoid that the confirmer has to login into the system each time, I want to make a direct link in the e-mail from where you can approve or reject the order...
My question is:
How can authenticate the confirmer, if I don�t use the username and password of the confirmer in the link?
Can I use the digest (hash) of his password? What if someone gets this digest, then they have access to the confirmers account through this direct link "backdoor"?
Below I show an example of how another network solve the problem. They use a loginid and smid? How does this works?
http://www.domain.do?loginid=F6UQ7B12gregewre98985&smid=10786785_100_KkyA04Aic0IzlulkuiVI-454876488 [ August 02, 2006: Message edited by: Jeppe Fjord ]