I have been trying to completely avoid using the querystring because depending on the levels of security you code into your site it can be used to insert invalid data/scripts and so depending on what your site uses in the way of dynamic page creation/layout and so on.

My question is what kinds of things would I really need to use the query string for?

For instance: I have a message delivery system that works basicly the same way as this forum's. I.E. if I am part of an on going message chain/thread I get an e-mail that links to the latest msg.

Originaly I passed the actual guid of the msg and user, but I got to thinking well a savy hacker could possibly break that, even with a password check they could eventualy brute through if they figured out my ip login attemp limit and did some fancy ip work.

So I decieded to go with a notification with just the msg id and the user has to login. or have there login in stored, and I'm not sure I am going to allow it to be stored because the messages can envolve bank accounts and other information.

I guess I'm asking how would you guys handle something like that in terms of security? I know I need to SSL it obviously.