I created a website for student management (a martial arts school). Which includes billing students. Currently, the only way my users can do this is to print out the invoices and pass them on to students. I would like to create a way for students to go to their account online.
I considered using a GUID for students and using this as a query string parameter for an invoice. (Http://thesite.com/invoice.php?guid=E3D3D122-5AB6-4405-96EC-7C0579710813)
The invoice will be a read-only page and will not have access to the rest of the site. Therefore, I don’t have to worry about sniffing the package (I don’t believe that some sniffing traffic in the cafe is a problem if all they have access to is a random student account).
My concern is that someone might guess or move on to a specific set of invoices (i.e. all competitor invoices).
I feel like I'm either crazy to consider this, or this is the standard practice of relativity. I just don't know what. And SO is a great sanity check.
thank
source
share