Reputation: 133
URL token valid?
I am reading this book Essential PHP Security by Chris Shiflett where I came across using tokens (Session Hijacking) in URL. The book says "A better approach is to propagate a token in the URL - something that can be considered a second form of identification.
Example
<?php
$token = md5(uniqid(rand(),TRUE));
$url = array();
$html = array();
$url ['token'] = rawurlencode($token);
$html['token'] = htmlentities($url['token'], ENT_QUOTES, 'UTF-8');
?>
<a href="index.php?token=<?php echo $html['token'];?>">Click Here</a>
Once I hit "Click here", the url now has a token to it
http://localhost/urltoken/index.php?token=55420e8dce399820ecf4dfa08cf0d5a0
What I do not understand is how does the server knows whether this token is valid or not.
Upvotes: 3
Views: 1536
Answers (1)
Reputation: 781096
Save the token in a database table that has foreign key(s) referencing the user table and any other tables relevant to the application. When the user goes to the link with the token parameter, the script than looks the token up in this table. If it can't be found, the token is invalid.
A common example of this is when you create an account at a web site, and it sends you an email to validate the account. The link in the email will contain a token that refers back to the account, and when you click on it the script will mark that account as validated. Password reset emails work similarly.
Upvotes: 2
Related Questions
- How to create unique tokens correctly in php?
- is putting token in URL secure to prevent CSRF attacks in PHP applications?
- Passing token as GET variable
- PHP URL manipulation security issue
- PHP token security
- Use token in php code on drupal site
- strange token websites url
- API with tokens
- PHP - How to get tokens?
- Is this a good way to create a unique URL token in PHP.?