Posted by Justin Koivisto on 10/14/10 11:40

Nel wrote:
> From your (group) opinion, when sending a unique URL to a user, what steps
> are a must in making sure the link can't be hacked.
>
> i.e. Bad link
> www.example.com?id=10&action=reset_password
>
>
> would be better as
> www.example.com?id=505B6EF41388913908D9B65B35DEAAEE&action=reset_password
>
> But ultimately a hacker could work their way through all combinations and
> reset all passwords on all users.
>
> So you could use
> www.example.com?id=505B6EF41388913908D9B65B35DEAAEE&action=reset_password&dbindexnumber=10
> (probably not using dbindexnumber as a variable) That way the hacker would
> need to get both right to reset the password.
>
> But how far do you go reasonably, without getting paranoid?

For that kind of thing what I usually do is generate a new unique key
for the action and store it in a database table with a structure similar to:

req_id varchar (md5 or other unique key)
user_id varchar (the user record id)
action varchar (the action to which this code is for)
issue_date datetime (just for tracking purposes)
expire_date datetime
verified int

Then I simply send the url like:

http://example.com/verify.php?request=5e4f66d5234debe3ba19c16b82c3b80e

At that page, if the record exists, ask for username or other
identifying information, and if that is good, process the action.

--
Justin Koivisto, ZCE - justin@koivi.com
http://koivi.com

[Back to original message]