Token in URL is safe?

3

I'm developing an application, and I'm doubtful about the password recovery part.

I have a method that the user enters the email that is registered in the application when he forgets the password. Ex:

public function esqueciSenha($email)
{
  self::enviaEmail($email);
  ...
}

This function sendsEmail , generates a password recovery token, and sends a URL to the user by email. Ex:

In the generated URL, you will have a form for the user to enter the new password. I thought about getting AJAX to take the password change token, the user id (passed in the url) and the new password, and send it to the method ChangeSenhaPorToken (via POST), which receives $ id, $ token and $ novaSenha, and will validate the token and id, and thus change the user's password. Ex:

public function alterarSenhaPorToken($id, $token, $novaSenha){
  // validação do token
  ...
  self::trocarSenha($id, $novaSenha);
  ...
}

My questions:

Is there a problem in passing the user's token and user id through the URL? In security matters? If there are problems, what would be the safest way to do this?

    

asked by anonymous 01.10.2015 / 18:56

2 answers

4

Is there a problem in passing the user's token and id through the URL? In security issues?

No.

Tokens have this purpose. It is worth mentioning that it is only necessary to take some security measures, which are:

  • Why are you showing the ID of the user in the URL?
  • This token has lifetime ?
  • This token is unique ?

Unique

It is not recommended to leave the ID of the user exposed. And I do not see any reason to work with ID, since we assume that this token is unique correct? Alias, this is basic, generate unique ids unique . If the token in this case is unique it will be linked to a user only, that is, having the token you already know what the user is, discarding need to pass ID .

Lifetime

How long will this token be valid? It is interesting to put lifetime in it, that is, to leave this token with time to expire, in case the user does not use it within x time it will need to generate a new one.

Considerations

There are some techniques like connecting the token to the user's IP ... well, I particularly do not recommend it, because you could end up beating yourself up with customary user practices. What do you mean?

Fulano X requested to change the password of an account that is registered to Fulano Z , Fulano Z received the email and gave the link to Fulano X , the link will work?

Well, to finish this practice is super normal, usually for password recovery one only needs to have attention with some details.

    
01.10.2015 / 19:21
3

I do not see much of a problem and it's also a common practice. I would just make these suggestions:

  • At the time of generating the token, save the IP address and creation date / time
  • At the time of validating the token ( alterarSenhaPorToken ) verify that it is the same IP and that the token is not older than X hours (or minutes at your discretion)
  • As your last method is already a POST, I would also put the token in the body of the post, not in the querystring, although I still do not see much of a problem like this. It's more for consistency.
  • 01.10.2015 / 19:17