I have a functionality in which a token to recover the password is sent in the url using GET method.
I’ve listened that I shouldn’t send sensible parameters in the url but the thing is:
- Is a unique token (random string sent in the email)
- Is a single use token
- It has expiration time
- This token doesn’t correspond to any session information or similar
So if I have to use POST method, how can I get and use this token from the recovery’s mail and pass it to my application?
Thanks for you help
Please edit the initial post to:
- split the number of problems that are inside the question,
- then rank them in a way that one solution give you clues to solve the next ones,
- translate it to english
In general, we should never give the customer any clues about the solution, we just need to help the customer to understand the security risk behind.
So the link doesn’t carry a session id and it expires by certain time. So the only way this can work is with https. In order to avoid the leak
Still I don’t understand a bit. Don’t just translate the text, interpret it appropriately, rewrite it if necessary, simplify, etc. Try to frame a problem as your problem, not the other’s person problem.
Ok I get it. the issue here an email is send with a link which has a random string in the url. So it expires. I know that is a risk. because the system is not implementing yet https.
Also, change the title. Make it a question pointing to a problem so other people can find this post if needed.
I have changed the title for something more simple.
Hi you there @elated-colden
Considering the features you are describing I would say it is not necessary to use POST. If the link is only sent to the email it gets really difficult (not impossible) for an attacker to get the token because he/she has to break the security of two systems.
According to OWASP recommendation (step 3) you can send a token to the user’s mail, but it has to be a
randomly-generated code having 8 or more characters
and with a lifespan of 20 min more less.
To avoid other security breaches the tokens should no longer be valid after they’ve been used and sent by https.
The idea of avoid the use of confidential data on the urls refers to credentials or other ids that are related to the session. That said, “randomly-generated code” means you should not be able to get any sensitive information of the user from that token nor guess it.