Is token in the URL safe?

Asked

Viewed 1,727 times

3

I’m developing an application, and I’m having doubts in the password recovery part.

I have a method that the user inserts the email that is registered in the application when they forget the password. Ex:

public function esqueciSenha($email)
{
  self::enviaEmail($email);
  ...
}

That function mail, generates a password recovery token, and will send a URL to the user via email. Ex:

http://aplicacao.com/alterarSenhaPorToken?token=6d352bcc2811a85820d5252df9bb9086&id=1

In the generated URL, you will have a form for the user to enter the new password. I thought of making AJAX take the password change token, the user id (passed in the url) and the new password, and send to the change method NhaPorToken (via POST), which receives $id, $token and $newNew, and will validate the token and id, and thus change the password of the user.Ex:

public function alterarSenhaPorToken($id, $token, $novaSenha){
  // validação do token
  ...
  self::trocarSenha($id, $novaSenha);
  ...
}

My doubts:

Are there problems in passing the user token and id through the URL? On security issues? If there are problems, what would be the safest way to do this?

  • 2

    In the database register the token with the user id, according to this id, ai Voce does a search when generating the new password, so Voce can by token identify who is the user requesting the exchange... ai do o update\

  • 1

    Thank you @Andrébaill, I will do what you suggest and test!

2 answers

4


Are there problems in passing the user token and id through the URL? For security reasons?

Not.

Tokens have this aim. It is worth mentioning that it is only necessary to take some security measures, being them:

  • Why are you showing the ID user in the URL?
  • This token has lifetime?
  • This token is unique?

Unique

It is not recommended to leave the ID of the exposed user. And particularly I see no reason to work with the ID, since we will assume that this token is unique correct? Alias, this is basic, generate Unique ids Unic. If the token in this case is unique it will be linked to a user only, IE, have the token you already know which is the user, discarding need to pass the ID.

Lifetime

How long will this token be valid? Interesting is to put Lifetime in it, IE, leave this token with time to expire, in case the user will not use within x time he will need to generate a new.

Considerations

There are some techniques like connecting the token to the user’s IP... Well, I don’t particularly recommend it, because you may end up hitting yourself head-on with customary user practices. How so?

Fulano X requested to change the password of an account registered to Fulano Z, Fulano Z received the email and gave the link to Fulano X, the link will work?

Well, to finish this practice is super normal, usually for password recovery just need to be careful with some details.

  • I appreciate the clarification, in case to pass the id by URL, it was only because the exchange methodNote, which receives $id and $newNew, is generic, I use it to exchange the password of the already authenticated user also.

  • 1

    @mauriciocaserta should not pass the user ID by link. To do this just circumvent, in the function if the ID is not passed you make a query searching the user by token, not ID.

  • @mauriciocaserta do not forget to signal the answer as correct.

3

I don’t see much problem and it’s also a common practice. I would just make these suggestions:

  1. When generating the token, save the IP address and the creation date/time
  2. When validating the token (alterarSenhaPorToken) verify that it is the same IP and that the token is no older than X hours (or minutes at your discretion)
  3. As your last method is already a POST, I would also put the token in the body of the post, not in querystring, although I still don’t see so much problem. It’s more for consistency anyway.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.