Reputation: 13
How can generate this type of link?
I see a website what use resset password and the web send to your email a link with a encryption of other level, this is the link:
domain.com/dshgfuigt73567345873464783tryweuygyu
What type of encryption of what type of system use to can get a link so clean like that, how to get dshgfuigt73567345873464783tryweuygyu
Someone know, I hours searching all types encryptions for php and 0 return me a text like that. Advanced thanks, my first question!!
Upvotes: 0
Views: 55
Answers (2)
Reputation: 17501
It's not encryption (for it can't be decrypted*) it's a hash. In particular, it has 43 alphanumeric characters, which roughly means its binary representation amounts for 256 bits. (so, 32 bytes). Therefore, I'd says it's SHA-256, but it can also be a bogus string made out of a "roll your own" algorithm.
When you try to recover your password, a random hash is generated and emailed to you and usually it's inserted into a "passwords_resets" table. When you visit the site, the hash you provide in the link is handled (through a webserver rewrite) as a query string argument.
If you present a legit hash, you are presented with a form where you can reset your password (I haven't looked at your link, it's just a common workflow). If the record isn't in the table, or it shows up as used, or its creation time is older than a reasonable threshold, then you aren't presented with said form.
Hashes are just a way to generate a seemingly unique string so that you can't guess a hash out of nowhere. Nowadays there are other ways to generate such a string, because computing power has grown exponentially since the times in which SHA256 was thought to be unbreakable.
Thought it doesn't make sense to talk about denryption for a hash, you can try to find a string whose hash matches the one of your question. Again, with enough computing power you will, eventually.
(I thought sha-256 had 44 chars but I can't find where did I got that notion... maybe it's a padding char?)
Upvotes: 0
Reputation: 116
It's not an encryption, it rather looks like a "Token". When you want to reset a password, the website has to make sure you're the real user. So it creates a unique token, saves it in the database and sends it to you with an E-Mail. After you clicked it, the server will check out its database if it can find this token. If it is there, it will allow the password reset.
In terms of implementation there are many ways to achieve this. The easiest way is to just use one of the many random functions of PHP. For example "random_bytes".
Like this:
$myAwesomeToken = random_bytes(20);
print(bin2hex($myAwesomeToken));
Since random_bytes returns binary data, you will need bin2hex to convert it to a human readable string. The result can be saved in the user table of your database. You can use that to build the URL and send it to the user.
More about that function can be found here:
https://www.php.net/manual/en/function.random-bytes.php
It usually is also a good idea to save the datetime when the reset mail was sent. Then you can invalidate it, after a specific amount of time. Just as a little hint. :)
Upvotes: 1
Related Questions
- generating random, single use URLs
- Generate encrypted string that can be used directly in URLs
- how to generate links in php?
- PHP code to generate safe URL?
- Encrypting URLs in PHP
- How can I encrypt a PHP variable (a link)?
- how build an url
- PHP URL Generation
- What's the standard way to generate a url like stuff?
- Generating Private, Unique, Secure URLs