-
Notifications
You must be signed in to change notification settings - Fork 790
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Improvement] Encrypt user_id on account verification instead of actual user_id #728
Comments
+1 encrypted value not hash value |
This will generate an extremely long and "ugly" link like this:
which is for unknown reasons not clickable in thunderbird, and also fails to become properly de-encrypted, even when used with urldecode() .. Does somebody know how to do this properly ? Please do not use these links, I think for the initial verification link it's totally okay to use the real user_id. What's the potential value for an attacker, does somebody know this ? thanks! :) |
You could hash them like git commit id hashes. Just take the first 7 or so characters and to prevent collisions when generating the value check if the shorted hash is already used by another user and if it is then make it one character longer until there is no conflict. Although with most decent hashing algorithms there should not be any similarities in the hash value of numbers close to each other and unless your user base is millions large that should be even less a problem. |
Although I am not sure of the necessity of this is either as the user_id is just a pointer to internal information. There is the possibility of them using it as part an injection attack and dropping that user but that is not a problem with the user_id, its a problem with blocking the attack. |
The problem with exposing the user_id is that user_id might be used as an identifier outside the platform - like an account number. |
This is because you are sanitizing the URL before passing arguments to action method. And at the same time, you can't omit the sanitizing part . The solution is to use an algorithm that hashes the user_id like the way YouTube hashes the video Ids, GitHub commits & comment, ...etc(not highly secured as |
When an email is sent to verify a new user's account, the clickback string contains the actual user_id of the user. It would probably be a better practice to use a random or hash value for that clickback instead of the actual user_id.
The text was updated successfully, but these errors were encountered: