generating random, single use URLs

Question

I'm creating a pretty simple application which allows references (of potential employees) to upload their own reference letters. Here's how it works:

• The applicant submits the references email
• The reference receives an automatically generated email containing a unique URL (for security reasons)
• Reference follows the link, answers security question (in case he wishes to access the site more than once)
• Uploads letter

I'm stuck on how to generate a completely (okay, okay, quasi will do) random URL. What's more: how do I ensure that following the link will direct the references to the correct page? Do I have to create a new page containing the drop box every time I send out a random URL?

Thanks for any suggestions on how to go about this :)

Answer 1

You could also create a random permutation of numerals and characters so that

hash($previous) // is unique

The basic idea is that the 'hash'-function depends only on the previous value, creating a new unique value. For example so that '0' -> '1', '1' -> '2', '9' -> 'a', 'z' -> '10', 'z0' -> '11'. Such an algorithm is relatively easy to devise

Answer 2

I presume that when you say that you want to generate a random URL, you are essentially asking to generate a random string. This is potentially very simple; here's some pseudocode:

for i = 1 to stringLength
    randomString[i] = floor(random() * 26) + 'a'
end

In other words, generate a random number between 0 and 25, and add it to the ASCII value for the character 'a'. This would generate a random string of lowercase letters, which I think should be sufficient for your task. In PHP, you would use the rand function. It would be advisable to use the srand function to seed the random number generator with the current time, like the example at the end of the given link.

As for the second part; I recommend that you simplify things; rather than generating an actual page with a random URL, why not simply pass a random string into the query string such as:

www.mydomain.com/uploadReference.php?id=xxxxxxx

Where xxxxxxx is your random string. You can then verify the string and look it up in a database using PHP. This seems, for your purposes, by far the easiest way.

Answer 3

You can make a unique string based on some form of hash of the current time stamp or the reference's unique credentials (e.g. username or something). You could then create one page for the dropbox that would accept that unique string in the URL to be used for a script on the page which would retrieve the relevant data mapped by that string in a database.

Answer 4

You might try using a hash algorithm which generates the unique-esque checksum from the contents of the file. Usually (for example with md5()) one byte change in the original content results in a completely different hash. (Notice: md5 has some collision vulnerabilities.)

If you store the uploaded file with the filename of the hash, you will be able to retrieve it at a later date, but for more complex system, there should be a database set up which makes the relation between the random URL and the stored content.

If you don't want to hash, there code snippet below could help to generate random URLs (but make sure that if an URL is already used, you prevent accidental overwrites):

md5( sha1( time() + rand(0, time()) ) );