Page 1 of 1
Using session_id() in an email
Posted: Wed Mar 31, 2010 9:43 am
by alex.barylski
I need to send a email with a confirmation link and for obvious reasons the hashkey/unique ID associated with the URI should be one time use and hard to guess.
The session_id() is perfect because it meets a few more requirements, such as, being unique to the user who made the request, which muct be confirmed. Problem is, sending that session_id over the wire could result in session hijacking or something.
So I wonder if I can still use the session_id() but scrable it a bit more, maybe with an additional md5 and salt, such as current time???
Cheers,
Alex
Re: Using session_id() in an email
Posted: Wed Mar 31, 2010 10:40 am
by timWebUK
Why not take the date they sign up, their email address and the first character of their username and a random number - SHA256 hash that. So long as your code is not going to be open source... this is not guessable.
Using the session ID seems to be like it would be prone to problems.
Re: Using session_id() in an email
Posted: Sat Apr 03, 2010 8:39 am
by kaisellgren
The value of session_id() can still be the same for two or more different users if they setup the session at the same time on the same proxy and with "some luck".
The session ID consist of four key elements: the IP-address of the client (or the proxy), the current time in seconds, the current time in milliseconds, and the result of the internal combined linear congruential generator. PHP concatenates these elements together and hashes the result depending on the ini-configuration (typically SHA-1). In case of SHA-1, the output has a strength of 160-bits. You can get in this same situation pretty much by hashing 20-bytes of pseudo random data with SHA-1.
So, using the sesssion identifier that PHP generates is no more unique to a user than a pseudo random nonce with x-bits of strength where x-bits equal the strength of the session (usually 160-bits). If you go for 160-bits of strength, for example, then you can pretty happily think that the value identifies a particular user, because the chances are that two users get the same nonce is one in 2^160 (that is one in ~1 461 501 637 330 902 918 203 684 832 716 300 000 000 000 000 000, or one in one and half quindecillion). If your software fails and there has been two same nonce's that were used at the same time, then I doubt you should worry because you should have already won in the lottery millions of times and live in the Bahamas happily for the rest of your life drinking beer and enjoying company of nice women...
I would not use a session identifier to confirm an email, because it does not really make sense. Create a strong nonce, email it (encrypted if possible), and make it obsolete after the use and after certain period. Also, it would not be a bad idea to loosely tie the confirmation to the IP-address of the registrar. When tying the confirmation to an IP-address, don't create the nonce/confirmation key based on the IP, you should instead allow the confirmation process be done by the specific IP.