Just thought I'd add that I just came up with another idea (it supplements the cookie/session idea I noted in a comment above). If I include the IP address in the encrypted value, that would make it tied to that computer fairly uniquely, although not perfectly uniquely (because multiple computers behind a router can have the same IP address, so the person could IM the link to their coworker for example and the server might mix the two computers up). One way to mitigate that risk is to add the current date/time to the value. On each postback, the new date/time would be used (perhaps performing a redirect). If the date/time in the value is older than, say, 20 minutes, the server would consider it a bad request (so it would be similar to an expired session). To sum things up so far, the encrypted value would contain this information:
- A GUID.
- The user's IP address.
- The current date/time (of each web request).
Maybe I could even add other unique information about the computer, such as the browser version. The more unique information, the less likely the URL can be used on another user's computer.
Oh, and one more idea. If I use AJAX, I can make the expiration duration even more frequent (say, every 10 seconds), because I can make asyncronous server requests periodically without interrupting the user with a full postback. The posback URL can then be modified to use the most frequent encrypted value (which would be stored in a JavaScript variable). This would make the solution even more secure (though less stable, as a temporary interruption of network availability would cause the user to have to start over).