Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Generating Private, Unique, Secure URLs

Tags:

security

url

php

I'd like to generate a secure one-click-access type of url similar to the examples below. I'll be using PHP but that is irrelevant as I'm just looking to understand the underlying concept. Some answers suggest using a GUID, but I don't think that will give me an absolutely unique, secure URL like below.

#    Google Calendar
3qq6jlu04ptlhmb9fencsu5t2k
#    Private
3qq6jlu04ptlhmb9fencsu5t2k
#    Private 'token'
163a0afe7fkb1ba2acd04c11ef0eefe8
#    LogMeIn
#    1024 bit - 128 Character URL
72oxuj0fzefqo3fu04xjtvmd0adj2948rfh7g5by4forkwcy7t651z7hcb6kjjgqkxmvmfqpyrcfy15z1fto8ewcxstjc6avicag7d5qnoimsm19kb9kgi9i7v6z01d5

I'm leaning toward that 128 character, 1024 bit style, as it seems very secure. I guess I could make four MD5 hashes and merge them, but is that really effective?

I have two specific intentions for a url such as this, but I'm sure there are others who may find this useful.

1) Instant log in shortcut/icon for users

2) Single-use url (Password recovery links)

like image 568
Blaine Avatar asked Mar 01 '09 09:03

Blaine


People also ask

What is private URL?

You might want to share your video only for a specific period, you can use the "private URL". It allows you to send your video without publishing it. This private URL can have an expiry date if you need it.

How secure are random urls?

But clearly, random URLS don't relate the secrecy of design/implementation. Thus, random URLs, whatever their faults, cannot be classified as security through obscurity.

Are secret urls safe?

It's not secure. For HTTP traffic your secret URL would effectively be public as soon as you use it. Without any password protection an eavesdropper listening to your network traffic could see the URL you send and then visit the same page. They would be encrypted when using HTTPS.


1 Answers

Update:

For something like a single use URL, I'd go with the GUID-esque appoach that has been suggested. Make sure to have a short lifespan on the link.

For a instant log-in, there is no really secure way to have a single URL.

Yes you can generate a URL which is going to be damn near impossible to guess, but that doesn't give you super security. If you want to remember users, why not use an encrypted authentication cookie?

The example you give, Google Calendar doesn't log you in via the URL alone, you have to be authenticated first before the URL means anything.

E.g. clicking on google calendar from my gmail gives me:

https://www.google.com/calendar/render?tab=mc&gsessionid=-LTeHrnKoeAbDcVaN68NHA

That doesn't help you access my account unless you've first authenticated as me.

Old post:

You can generate a GUID in PHP using com_create _guid and use that.

On linux I think you can use uuid_create, or this code from here:

<?php
 function guid(){
 if (function_exists('com_create_guid')){
       return com_create_guid();
   }else{
       mt_srand((double)microtime()*10000);//optional for php 4.2.0 and up.
       $charid = strtoupper(md5(uniqid(rand(), true)));
       $hyphen = chr(45);// "-"
       $uuid = chr(123)// "{"
               .substr($charid, 0, 8).$hyphen
               .substr($charid, 8, 4).$hyphen
               .substr($charid,12, 4).$hyphen
               .substr($charid,16, 4).$hyphen
               .substr($charid,20,12)
               .chr(125);// "}"
       return $uuid;
   }
}
echo guid();
?>
like image 103
Andrew Barrett Avatar answered Oct 02 '22 13:10

Andrew Barrett