How to have a Javascript client create a secure UUID?

Question

Is it possible for a Javascript client create a UUID that cannot be faked?

For example, suppose one of the solutions from Create GUID / UUID in JavaScript? were used to generate a UUID and send a create request with UUID to the server. Is it possible for the server to check that the UUID was indeed created by the Javascript function and not by some other function?

One idea is to use a checksum, but the UUID generation and checksum code would be visible to a "hacker". They could simply modify the Javascript function and then add the checksum.

So, are there any good solutions to this problem?

Answer 1

You can do some basic sanity checks like length or format, but what you are actually asking is "Given a number can I check that it was generated by a particular random number generator?". If the random number generator is truly random then the answer has to be "no", since if I can back-track from the answer to the function that easily then it's not very random.

Answer 2

You shouldn't care about who created the UUID. The server should only check if the UUID sent by the client respects the UUID format and perhaps check if somehow the same UUID was used already (this depends on your needs).

That is unless your UUID value is used as a secret (e.g. an activation number). In this case, the value shouldn't be generated client-side and the server should keep track of the values it generated.