Reputation: 460
What can I use to generate a not guessable url for each user?
I am working on a project that will have users and profile images. I need to save these images in a folder and be able to receive the image from knowing the user ID.
I'm picturing something like /images/profiles/{hash of user ID here}.png
The user ID will be an integer, e.g 52 or 495
- What is the standards used for hashing urls?
- Is it safe to use
password_hashfrombcryptfor this purpose? - What other alternatives do I have?
Upvotes: 1
Views: 647
Answers (1)
Reputation: 2462
Instead of using a sequential number, you should generate a Universal Unique Id (UUID) and use that to identify a user. The UUID can then also become part of the URL you are using.
I would suggest UUIDv4 in your case, which will contain 122 Bits of randomness. Since your user ids should not be publicly available or guessable, you have to make sure that the UUID generator you are using is backed by a secure random number generator.
If 122 Bits of randomness is not sufficiently secure for your needs, just generate some random data of sufficient length, using a secure random number generator, and convert that to hex.
BUT in case you have to be able to control who accesses the information stored for a user, you are on the wrong path. In this case you won't get around implementing a authentication / authorization layer.
Upvotes: 3
Related Questions
- generating random, single use URLs
- Short URL with unique but random generated string?
- what is a good way to encrypt a id in a url?
- Generate encrypted string that can be used directly in URLs
- Creating a short, decryptable URL with no back end
- How to generate a unique hash for a URL?
- How can I generate a "private URL" with state of the art balance between security and convenience?
- Hash to create unique URL so that it is difficul to guess valid URLs in lieu of authentication
- Creating a unique URL safe hash
- Generating Private, Unique, Secure URLs