• Read more about Signed Idempotent Action Links

If you're running any kind of service that uses e-mail as a communication method (which is just about everyone) and you want your users to be able to take some kind of action from the email (as just about everyone does) then you should be using Signed Idempotent Action Links. Now I know what you're thinking, "Signed Idempotent Action Links? But EVERYONE knows what those are!". I know, but here's a refresher anyway (ok so I made up the term, but it's descriptive!).

They are links that perform an action (such as "Delete this comment" or "Add this to my favorites") with an included signature (that associates the URL to a specific user and verifies parameters) and are idempotent (meaning that accessing them multiple times will end in the same result). In a nutshell, they are URLs that you can click through from an email and they perform a desired action:

• whether or not the user is signed in
• without any additional button presses or clickthroughs

So now that we've gone over what we're dealing with, why would you want to use them? Well, because not everyone is logged into your service when they're checking their email. In fact, if they're checking it from a smartphone or a public computer they most likely aren't logged into your service unless you're Facebook. It is the friendliest way to allow your users to perform simple actions through email.

Calm Down, Security People

Of course the reason not to use SIAL is that if a link can perform an action without requiring a login then, well, anyone can perform that action if they have the link. Very true! However, this problem is not enough to completely bar the use of SIAL because:

1. These links are being sent to people's email accounts. If your email account has been compromised, you're already in way more trouble than SIAL can give you.
2. Developers can counter this issue by making any SIAL action reversible. Have a "Delete" link? Make sure you have an "Undelete" function in your app somewhere.
3. Convenience trumps security for many applications. Sure, don't use SIAL to initiate wire transfers or for anything that costs money, but most applications have plenty of non-world-ending actions that can benefit from instant access.

How to Use SIAL

There are two important things to consider when using SIAL:

1. You MUST be able to verify any actionable content in the URL.
2. You SHOULD only allow the single action via the SIAL URL. Do not log the user in from a SIAL action.

So, how do we implement something like this? Well, it's really quite simple. Here's a method similar how it was implemented for Qup.tv. First, we create the means to sign an action in a User model:

require 'digest/sha1'  class User   # ...    def sign_action(action, *params)     Digest::SHA1.hexdigest(       "--signed--#{id}-#{action}-#{params.join('-')}-#{secret_token}"     )   end    def verify(signature, action, *params)     signature == sign_action(action, *params)   end end 

What we're doing here is creating a SHA1 hash of a string that is built using a known formula and includes all of the elements needed for the action:

• id is the id of the user
• action is the name of the action that we're taking. For Qup the action might be queue, watch, or view.
• params are any additional parameters that alter the outcome of the action. Again, for Qup this could be the id of the title to queue, watch, or view.
• secret_token is a unique token for the user that is not shared publicly anywhere. You can generate this using SecureRandom or find another way to implement a secret token. This should not be something like a user's password hash as it should not be determinable from any info a user would know.

So now that we have these methods for our user, how do we go about creating the actual URLs that we'll be using? Well, if we have a simple Sinatra application we can do it like so:

helpers do   def authenticate_action!(signature, user_id, action, *params)     @current_user = User.find(user_id)     unless current_user.verify(signature, action, *params)       halt 401, erb(:unauthorized)     end   end    def action_path(user, action, *params)     "/users/#{user.id}/#{action}/#{user.sign_action(action, *params)}/#{params.join('/')}"   end end  get "/users/:user_id/favorite/:signature/:item_id" do   authenticate_action!(params[:signature], params[:user_id], 'favorite', params[:item_id])   @item = Item.find(params[:item_id])   current_user.favorites << @item unless current_user.favorites.include?(@item)   erb :favorite_added end 

As you can see, all we're really doing here is:

1. Creating a helper that will display a 401 unauthorized message if the signature provided in the URL does not match the proper signature for the provided user.
2. Creating a helper that will help us to generate URLs for our actions.
3. Showing an example of how one such action could be built.

Notice that in this example I am making no use of session variables or any kind of persistent state. In fact, you should make sure that you ignore all such variables. If another user is signed in at the moment, the link should still work for the signed user.

One other thing to notice is that the item is only added to favorites if it isn't already there. This gives the action idempotence: whether you run it once or 100 times the result is the same, making sure that the item is in the user's favorites.

SIAL is not a technique that you will use in every instance, but the benefits for the user can be big in terms of convenience, and it's often the small conveniences that make a big difference when developing software that people love.

If you liked this post (or didn't) and you use Netflix Instant, go check out Qup and get email alerts (with Signed Idempotent Action Links) when new titles are added.

• Read more about Change The Way You Do Business With Socialspring

Today we launch a suite of social enterprise solutions that will change the way you do business. Introducing Socialspring: business software, humanized. We've reimagined how social enterprise software should work and our tools are rooted in the modern tenets of social interaction to engage, empower and strengthen your employees in the areas of productivity, company culture, process, and workflow.

Web-based consumer software has drastically changed what employees expect out of the tools they use to get work done. Yet business software has not kept pace. This is why Socialspring applications have been designed with a focus on real world behavior for easier and more natural collaboration, communication and sharing.

Socialspring launches today at the Enterprise 2.0 Conference in Boston. The Enterprise 2.0 crowd is a diverse mix of thought leaders, small and large business owners, forward-thinking CTO's, and game-changing innovators. It makes sense to unveil Socialspring among this crowd and we're excited to engage with people in various markets to show them how our software can open up dormant lines of communication, expose hidden resources within their companies, and give their employees the emerging tools necessary to collaborate and innovate in today's enterprise world.

To kickoff this big launch we're announcing the first three Socialspring applications: Answers, Stream and Links. All Socialspring applications will be accessible via Passport, our custom single-sign-on system that simplifies and amalgamates the process of switching between multiple business applications within one environment.

Answers is a knowledge sharing solution for the enterprise that puts the expertise of your entire company at your fingertips. With Answers, stop repeating efforts and missing opportunities with mass emails and start building a foundation of knowledge for your company.

• Spend less time searching for information. Answers helps to centralize relevant and frequently requested information - information that is often stifled or lost through traditional email or phone conversations. Ask questions and get answers from your own in-house experts. Answers can be tagged for quick search and retrieval, ensuring that you can always find what you're looking for without fuss. It's information management for employees, departments and entire organizations.
• Build A Network of Experts. Information trends will naturally surface in Answers. You'll be able to easily identify experts on subjects within your company and expand your own expertise.
• Allow information to unfurl. Your employees need access to information - whether it be about your benefits programs, protocol for sales inquiries, standard procedures for interviewing candidates, current marketing strategies, guidelines for implementing a new design process, best practices for development and more. Liberate this beneficial information from antiquated two-way communication systems and make it available to anyone that might need it today, tomorrow, or a year from now.
• Strengthen your company culture. Your employee's lives are abuzz with emerging social mediums. Answers brings social information sharing to your company in a way that is engaging, intuitive, and rewarding. The fun badge and karma system ensures quick and easy adoption and continued, worthwhile participation by rewarding your employees for exchanging information and building reputations as experts.

Stream is the secure, communication and collaboration platform for today’s enterprise. Your employees have great ideas. Stream unlocks those ideas with a platform designed to foster collaboration, communication and engagement in your company.

• Better ideas, faster. The best ideas are a result of collaboration among bright people. You've hired the brightest thinkers, innovators and strategists to lead your company; now, empower them to work together and exchange and develop ideas in real-time. Stream gives your experts the competitive edge to innovate quickly and dynamically; harness the advantage of group-thought within your company.
• Persistent Awareness. Communication is everything in the enterprise. Stream allows your employees to stay connected to the lifeblood of your company anywhere they go. Available on all major mobile, web or desktop devices, Stream provides a method for immersion whether you're at your desk, walking to lunch, in a meeting, at the gym, driving to client sites, or trapped in a server closet. Never miss a discussion around your project or announcements about product launches and press coverage. Stream keeps you persistently aware.
• Centralize the important conversations. Your employees are always thinking, creating, and pioneering. Some of their best ideas will come to them in the lunch room, around the water cooler, driving home at the end of the day, or with a peer after work at the local wine bar. Stream acts like a virtual water cooler that brings everyone together to share and develop those bright ideas in one distinct space that is accessible any time of day or night. It provides a direct solution for exchanging ideas, collaborating on projects within groups, and relaying valuable information to specific departments, teams, or organizations.
• Invoke passion. Nothing sends the message that you want your team to go forth and create like giving them a social collaboration tool that was designed for today's active enterprise. Giving your employees the tools to thrive creatively and professionally will result in higher levels of enthusiasm, loyalty and commitment.
• Share media. Share pictures, audio, video, text and other files easily with Stream. Upload a design mockup and get instant feedback from your teammates. Share a screencast or new product ad and gauge interest. Collect opinions on website content before it's made live. Stream gives you the interactive platform to deliver information to the people that need it.

Links is the ultimate link sharing application for the enterprise that saves you time and space while producing valuable data. It's a simple yet powerful and secure URL shortening tool that tracks what is being shared and detects trends across departments or your entire company.

• Protect Your Information. Your employees share hundreds of links a day to private information. Protect sensitive information with Links by setting passwords on shared URLs and creating a viewing time frame with expiration dates. Enjoy the security of knowing that shared information doesn't have to be freely accessible to just anyone; with Links it can be safeguarded so only the right people get access.
• Social Minimalism. Encourage beauty, simplicity and function through internal link sharing. Shorten nonsensical, endless links and share them effortlessly with co-workers. They'll appreciate your succinctness.
• Gain insight. Analytics improve our understanding of behavior and help us to form smarter strategies. With Links you can detect link sharing patterns and act on them. Track which links are clicked on to see how many people have viewed your links. Detect which types of links receive more clicks. Use the information to improve your strategy for delivering information, garnering views and calculating the optimum time of the day/week to share the information.

Safe. Secure.

In order to facilitate meaningful adoption, measurable success and immersive participation we knew that Socialspring had to be safe and secure. We're not only giving your company a way to engage, ignite and reward your employees through social collaboration and real-time communication - we're making sure all of those exchanges and innovations (and all the information that's produced as a result) are kept safe. We offer a Software As A Service (SaaS) option or a Behind-The-Fireall (BTF) option for installation for the highest level of security.

Pricing

Socialspring is comfortably priced to accomodate the budgets of companies large and small:

• Socialspring Answers - Powerful Enterprise Knowledge Sharing: $2/user/month
• Socialspring Stream - Enterprise Strength Status Updates: $2/user/month
• Socialspring Links - Internal Link Shortening with Analytics: $1/user/month

Forging Our Own Path

We've talked to hundreds CEOs, CTO's, designers, developers, business strategists, and business owners and one thing was clear: business software needed to be rethought. That's why we took our own team of innovators and solutionaries and together we built the most robust and complete suite of social enterprise applications. We understand the needs of your users including your project managers, marketers, sales staff, HR professionals, board members and engineers.

Do not follow where the path may lead. Go instead where there is no path and leave a trail.

Ralph Waldo Emerson

You can depend on Socialspring to change the way your employees engage, create, and interact. Call, email, or signup to receive more information about how Socialspring can benefit your company. We're humanizing business software. Join us.