Reputation: 247
Tamper proof way to verify a 'confirm' email link with preventive measures for tampering?
Story for context: I have an ePetition type service running on my site which I email people a link where they can 'agree' to the petition. This link will only contain the 'petitionID' and 'username' of the person who sent it.
This information isn't particularly sensitive but I still require it to be tamper-proof because I want them to be able to accept without signing in or storing values in the database.
I thought of using Java's String.hashCode() function.
Maybe having the url as: username, petitionId and then a hash
www.website.com/accept.jsp?user='username'&id='petid'&token='1039678106'
The token could be made up of username + id(from the link) + datePetitionStarted(like the salt not exposed in the url) like:
String test = "[email protected]+1524+09/02/2016";
System.out.println(test.hashCode());
This would give me a hash of '1039678106' which means server side, I can take the ID parameter, the username of the person and use the datePetitionStarted, get the hashcode and compare them.
Do you think this is a valid way of preventing tampering?
I'm really after a token-type method of accepting petitions so if anyone has any other ideas that would be awesome.
thanks,
Mike
Upvotes: 0
Views: 220
Answers (2)
Reputation: 14661
While the String.hashcode() may return the same value for the same string across instances, this is not guaranteed.
Whenever it is invoked on the same object more than once during an execution of a Java application, the hashCode method must consistently return the same integer, provided no information used in equals comparisons on the object is modified. This integer need not remain consistent from one execution of an application to another execution of the same application.
API docs for Object.hashcode.
As such, if you were to down down this route you should use your own hash.
Upvotes: 0
Reputation: 2119
Here's what I did (which is practically tamper-proof). I don't use java script as users can disable it anyway. I simply create a UUID, (which is stored in a database next to user details) and then create a link sent in an email during the registration process.
http://my_domain_name/Activate?key=6faeecf5-9ab3-46f4-9785-321a5bbe2ace
When the user clicks on the link above, the server side code checks that this key actually exists in the database, in which case it activates the user account.
Upvotes: 2
Related Questions
- Can`t verify the email address with Django Rest and React
- Trying to verify a user with Django email confirmation, however some user's are getting this error when they try to confirm their email
- Not able to click on "Confirm Email" link using selenium webdriver (Java)
- Spring boot doesn't read Components after jar signing
- Django how to generate an automatic activation key for email activation link
- how to verify user clicked on link in email that I sent him/her?