I'm using security tokens to create not guessable URLs like this (16 bytes, hex)
http://example.com/something/private/b5f8c21a628e12b39786fb8ef9561d31
The token is something like a shared passwords: Who knows the URL is allowed to access the resource.
How many bytes should a secure random value have to be appropriate for secure URLs?
Car remotes are examples of security tokens people use regularly. Security tokens are used to authenticate users, and they can be used either to substitute passwords or other authentication methods or used as additional authentication in multi-factor authentication (MFA) flow.
A security token is a physical or digital device that provides two-factor authentication (2FA) for a user to prove their identity in a login process. It is typically used as a form of identification for physical access or as a method of computer system access.
Token size Tokens can vary in size, up to the following limits: Authorization codes: 256 bytes. Access tokens: 2048 bytes. Refresh tokens: 512 bytes.
Work with a strong source of pseudorandomness, ensuring an even and unpredictable spread of tokens across the range of possible values. Make the tokens long enough (at least 16 bytes).
I've ended up with a 64 Bit random value which is encoded as url-safe Base64. The possibility to guess the correct token is 1 / 2^64
what is equal to 1 / 18446744073709551616
. This is a pretty impressive number and it would be nearly impossible for an attacker to find the correct token with http requests.
URLs look like this now: http://example.com/private/1oWYPiqO81k/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With