Thursday, 15 August 2013

php - How best to use the encryption method for confirm code -


How to best utilize the encryption method to confirm the code on an email notification: MD5, sha1 or rule 256 < / P>

I email notification to confirm some actions by email;

I prepared a confirmation code with salt and some parameters

How to best utilize the encryption method to verify the code

You have two main options here:

  1. Generate some random data, your database associated with that profile Store in, and just enter this data on the link;
  2. Any kind of secure

    hash based on both the user id and the hash based on that hash, the first option is safe (assuming you are real random Number generators are using or a very, very good pseudo random number generator), but you have to store the data on the database.

    I usually like the second option, because there is no need to store anything on the database, and no

    select a secret key, which is only your server The address will run, then define which parameter you want to validate in the URL (for example, only the user ID can be sufficient, however, if you want to end the link time, then you have a timestamp for the URL Od can and user ID and can validate the timestamp with your hash). Mix your secret key with parameters, create a hash based on it, and create a link that specifies both your parameters and hash when the user clicks on the link, you take the parameters from the URL, Together they re-add, provide results and compare to the hash that comes with the URL.

    A safe way to do this is to use , which is the hash-based message authentication code .

    Note that this mechanism exposes valid data in your URL. If the data is confidential (ie, suppose you want to send a link to the user that contains the username and password, without having to save anything on the database before clicking on that link), you should use it, Which is a mix of an encryption algorithm (which guarantees that no data can be read) and an authentication algorithm (which guarantees that any significant meaning Can not be angry with encrypted data to date - only your server could such generated code).

No comments:

Post a Comment