Random token like in queryStrings

elated-colden · June 27, 2019, 8:33pm

I have a functionality in which a token to recover the password is sent in the url using GET method.
I’ve listened that I shouldn’t send sensible parameters in the url but the thing is:

Is a unique token (random string sent in the email)
Is a single use token
It has expiration time
This token doesn’t correspond to any session information or similar

So if I have to use POST method, how can I get and use this token from the recovery’s mail and pass it to my application?

Thanks for you help

blue-snot · June 27, 2019, 8:40pm

Please edit the initial post to:

split the number of problems that are inside the question,
then rank them in a way that one solution give you clues to solve the next ones,
translate it to english

In general, we should never give the customer any clues about the solution, we just need to help the customer to understand the security risk behind.

elated-colden · June 28, 2019, 1:01pm

So the link doesn’t carry a session id and it expires by certain time. So the only way this can work is with https. In order to avoid the leak

blue-snot · June 28, 2019, 1:55pm

Still I don’t understand a bit. Don’t just translate the text, interpret it appropriately, rewrite it if necessary, simplify, etc. Try to frame a problem as your problem, not the other’s person problem.

elated-colden · June 28, 2019, 2:37pm

Ok I get it. the issue here an email is send with a link which has a random string in the url. So it expires. I know that is a risk. because the system is not implementing yet https.

infinite-loop · June 28, 2019, 3:19pm

Also, change the title. Make it a question pointing to a problem so other people can find this post if needed.

elated-colden · July 10, 2019, 8:12pm

I have changed the title for something more simple.

peaceful-jennings · November 6, 2019, 11:42pm

Hi you there @elated-colden

Considering the features you are describing I would say it is not necessary to use POST. If the link is only sent to the email it gets really difficult (not impossible) for an attacker to get the token because he/she has to break the security of two systems.

According to OWASP recommendation (step 3) you can send a token to the user’s mail, but it has to be a

randomly-generated code having 8 or more characters

and with a lifespan of 20 min more less.
To avoid other security breaches the tokens should no longer be valid after they’ve been used and sent by https.

The idea of avoid the use of confidential data on the urls refers to credentials or other ids that are related to the session. That said, “randomly-generated code” means you should not be able to get any sensitive information of the user from that token nor guess it.