NYCPHP Meetup

NYPHP.org

[nycphp-talk] How do you secure a confidential URL w/query sent viaemail?

Cliff Hirsch cliff at pinestream.com
Fri Jul 22 11:30:27 EDT 2005


I think I've answered my own question. The very low probability approach
just may work.
20 letters = 26^20, if my high school math is correct, which is
2,600,000,000,000,000,000,000

-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of Cliff Hirsch
Sent: Friday, July 22, 2005 11:04 AM
To: 'NYPHP Talk'
Subject: [nycphp-talk] How do you secure a confidential URL w/query sent
viaemail?


I just received an email from evite with a link that looked something
like this:
  
<http://www.evite.com/pages/invite/viewInvite.jsp?inviteId= very long
string &li=iq&src=email

This is a common approach for user login validation, etc. It doesn't
require a login. It doesn't check to see if it came from the email
address that it was sent to.

What prevents a hacker from randomly entering a "very long string" to
gain access to confidential information? It seems to me that the usual
approach is to just go with the very low probability formula. Is this
more secure than I think? Am I missing something here? To me a more
secure approach would be to require the email, or some other tidbit sent
in the email, to be entered. That would correlate the "very long string"
with the email that it was sent to, which a hacker would not know.

Cliff Hirsch

_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org




More information about the talk mailing list