3 2477
Nel wrote: From your (group) opinion, when sending a unique URL to a user, what steps are a must in making sure the link can't be hacked.
i.e. Bad link www.example.com?id=10&action=reset_password
would be better as http://www.example.com?id=505B6EF413...reset_password
But ultimately a hacker could work their way through all combinations and reset all passwords on all users.
So you could use http://www.example.com?id=505B6EF413...indexnumber=10 (probably not using dbindexnumber as a variable) That way the hacker would need to get both right to reset the password.
But how far do you go reasonably, without getting paranoid?
For that kind of thing what I usually do is generate a new unique key
for the action and store it in a database table with a structure similar to:
req_id varchar (md5 or other unique key)
user_id varchar (the user record id)
action varchar (the action to which this code is for)
issue_date datetime (just for tracking purposes)
expire_date datetime
verified int
Then I simply send the url like: http://example.com/verify.php?reques...19c16b82c3b80e
At that page, if the record exists, ask for username or other
identifying information, and if that is good, process the action.
--
Justin Koivisto, ZCE - ju****@koivi.com http://koivi.com
>From your (group) opinion, when sending a unique URL to a user, what steps are a must in making sure the link can't be hacked.
You check the authority of the user to perform the action *AT THE
TIME IT IS SUBMITTED*. (For example, you verify that the user is
logged in, although this is problematic with password changes. You
can, however, ensure that *NO* URL works if a password change hasn't
been requested, and that password change requests expire a few days
after they are requested.) This may seem to duplicate the check
when you produced the page, but it's not. In addition to link
hacking, something about the user may have changed (e.g. his account
expired and he didn't pay for the next month, or he got fired, or
he's not an authorized user on the account any more.)
If a user has to answer a security question ("What kennel was your
mother-in-law born in?") to even *get* that link, ask the same
question again when they try to *use* it.
i.e. Bad link www.example.com?id=10&action=reset_password
would be better as http://www.example.com?id=505B6EF413...reset_password
But ultimately a hacker could work their way through all combinations and reset all passwords on all users.
That's a 128 bit hex number. Working their way through all combinations,
at 1 nanosecond per try, would take about 10 thousand billion billion years.
And I bet your server isn't nearly that fast. Be careful about your
random-number generator, though. A random number generator that uses
a 16-bit seed can reduce that time to 65 microseconds.
So you could use http://www.example.com?id=505B6EF413...indexnumber=10 (probably not using dbindexnumber as a variable) That way the hacker would need to get both right to reset the password.
This is a reasonable approach and it saves your server a bunch of
checking when it is submitted: it only has to check it against
one record, not all of them. If there is something public about
the account that is unique (such as a posting "handle" that appears
on notes posted to a forum), that might be better than the
db index.
But how far do you go reasonably, without getting paranoid?
I think something that takes more than a billion times your life expectancy
(the brute-force attack) isn't much of a concern. It's much more
likely that someone would manage to get access to the legitimate user's
computer or sniff packets.
Gordon L. Burditt
"Gordon Burditt" <go***********@burditt.org> wrote in message
news:11*************@corp.supernews.com... From your (group) opinion, when sending a unique URL to a user, what steps are a must in making sure the link can't be hacked.
You check the authority of the user to perform the action *AT THE TIME IT IS SUBMITTED*. (For example, you verify that the user is logged in, although this is problematic with password changes. You can, however, ensure that *NO* URL works if a password change hasn't been requested, and that password change requests expire a few days after they are requested.) This may seem to duplicate the check when you produced the page, but it's not. In addition to link hacking, something about the user may have changed (e.g. his account expired and he didn't pay for the next month, or he got fired, or he's not an authorized user on the account any more.)
If a user has to answer a security question ("What kennel was your mother-in-law born in?") to even *get* that link, ask the same question again when they try to *use* it.
i.e. Bad link www.example.com?id=10&action=reset_password
would be better as http://www.example.com?id=505B6EF413...reset_password
But ultimately a hacker could work their way through all combinations and reset all passwords on all users.
That's a 128 bit hex number. Working their way through all combinations, at 1 nanosecond per try, would take about 10 thousand billion billion years. And I bet your server isn't nearly that fast. Be careful about your random-number generator, though. A random number generator that uses a 16-bit seed can reduce that time to 65 microseconds.
So you could use http://www.example.com?id=505B6EF413...indexnumber=10 (probably not using dbindexnumber as a variable) That way the hacker would need to get both right to reset the password.
This is a reasonable approach and it saves your server a bunch of checking when it is submitted: it only has to check it against one record, not all of them. If there is something public about the account that is unique (such as a posting "handle" that appears on notes posted to a forum), that might be better than the db index.
But how far do you go reasonably, without getting paranoid?
I think something that takes more than a billion times your life expectancy (the brute-force attack) isn't much of a concern. It's much more likely that someone would manage to get access to the legitimate user's computer or sniff packets.
Gordon L. Burditt
Thanks to both of you for your comments.
Nel. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Kilroy Programmer |
last post by:
Is there a way to store a unique numeric identifier (say, for example,
an int) into a TreeNode, so that when the TreeNode is checked (since
CheckBoxes is enabled) the eventhandler AfterCheck() can...
|
by: Mullin Yu |
last post by:
hi,
i have a web service that has file operations on Windows OS, and there may
be a file concurrency issue if only one working directory e.g. c:\working
therefore, i want to have a unique sub...
|
by: RGow |
last post by:
Hi all,
I need to get a unique identifier for tables created in DB2 v8.1. I
can't use the table name because I want to use the identifier as part
of a trigger name and the table names are...
|
by: Paul Bromley |
last post by:
Ok - I have given up on trying to find the active IP address for a given PC.
For licensing purposes I need to retrive a unique identifier from the PC
that the program is installed on. The Hard disk...
|
by: ba.hons |
last post by:
Hello all,
Was wondering if anyone could provide some info on what could be a
possible solution to a problem am having.
I have to generate a Unique Identifier in C# which I will use to
assign...
|
by: Ken |
last post by:
Hi,
I have a form whose control source is a view from SQL server 2005
database. The view has a primary key that is a unique identifier field
with keys generated by newid() function from SQL server...
|
by: DaTurk |
last post by:
Hi,
I was just curious how you would go about creating a unique identifier
with 3 ints.
|
by: Rob Stevens |
last post by:
Is there some sort of unique identifier in every treenode
that is consistent? I was looking at the handle of every
treenode, but it appears that the handle changes everytime
the tree is built.
...
|
by: Mufasa |
last post by:
I'm looking for a way to get a truly unique identifier for a machine for our
client software. I'd like to have it so that there's little or no setup by
the end user. (We set up the machines and...
|
by: mliptak |
last post by:
I'm trying to implement logging in my application, so that each log
message has its unique identifier, e.g.
log(identifier, text)
What I want to achieve is that the compiler screams if the log()...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |