I'd like to generate a secure one-click-access type of url similar to the examples below. I'll be using PHP but that is irrelevant as I'm just looking to understand the underlying concept. Some answers suggest using a GUID, but I don't think that will give me an absolutely unique, secure URL like below.
# Google Calendar
3qq6jlu04ptlhmb9fencsu5t2k
# Private
3qq6jlu04ptlhmb9fencsu5t2k
# Private 'token'
163a0afe7fkb1ba2acd04c11ef0eefe8
# LogMeIn
# 1024 bit - 128 Character URL
72oxuj0fzefqo3fu04xjtvmd0adj2948rfh7g5by4forkwcy7t651z7hcb6kjjgqkxmvmfqpyrcfy15z1fto8ewcxstjc6avicag7d5qnoimsm19kb9kgi9i7v6z01d5
I'm leaning toward that 128 character, 1024 bit style, as it seems very secure. I guess I could make four MD5 hashes and merge them, but is that really effective?
I have two specific intentions for a url such as this, but I'm sure there are others who may find this useful.
1) Instant log in shortcut/icon for users
2) Single-use url (Password recovery links)
You might want to share your video only for a specific period, you can use the "private URL". It allows you to send your video without publishing it. This private URL can have an expiry date if you need it.
But clearly, random URLS don't relate the secrecy of design/implementation. Thus, random URLs, whatever their faults, cannot be classified as security through obscurity.
It's not secure. For HTTP traffic your secret URL would effectively be public as soon as you use it. Without any password protection an eavesdropper listening to your network traffic could see the URL you send and then visit the same page. They would be encrypted when using HTTPS.
Update:
For something like a single use URL, I'd go with the GUID-esque appoach that has been suggested. Make sure to have a short lifespan on the link.
For a instant log-in, there is no really secure way to have a single URL.
Yes you can generate a URL which is going to be damn near impossible to guess, but that doesn't give you super security. If you want to remember users, why not use an encrypted authentication cookie?
The example you give, Google Calendar doesn't log you in via the URL alone, you have to be authenticated first before the URL means anything.
E.g. clicking on google calendar from my gmail gives me:
https://www.google.com/calendar/render?tab=mc&gsessionid=-LTeHrnKoeAbDcVaN68NHA
That doesn't help you access my account unless you've first authenticated as me.
Old post:
You can generate a GUID in PHP using com_create _guid and use that.
On linux I think you can use uuid_create, or this code from here:
<?php
function guid(){
if (function_exists('com_create_guid')){
return com_create_guid();
}else{
mt_srand((double)microtime()*10000);//optional for php 4.2.0 and up.
$charid = strtoupper(md5(uniqid(rand(), true)));
$hyphen = chr(45);// "-"
$uuid = chr(123)// "{"
.substr($charid, 0, 8).$hyphen
.substr($charid, 8, 4).$hyphen
.substr($charid,12, 4).$hyphen
.substr($charid,16, 4).$hyphen
.substr($charid,20,12)
.chr(125);// "}"
return $uuid;
}
}
echo guid();
?>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With