How do I sent an encrypted hash over URL in CakePHP 3?

Question

I'm working on a reset password function that matches hashes to allow for the user to reset. The only trouble is the hash that was created cannot be passed over URL without breaking the page. For example, my hash is this:

http://localhost/users/changeResetPassword/e0b4ab1d2cdc5742c7b5f72ef6c2935dadfe458dc275b7419d9f1ac66461aa20%0F5%3A%C6%5C%26%2A%E4%D5%ACA%94%ADV%BF%EB%CAz%97O%1F%7D%F0h~%E3-.%FF%B4z%5E%1AQ%B8%8Ca%BC500%2A%EC%7B%FA%AF8%E3%2A%7F%BA%A4y%03%AE%29%94%09%26%9E%29e%E5%DEn%1At%C1%EC%F7%D4x%EAvlA%BE%5B%0D%CF

All of these % seem to break the page, because I get this error:

Object not found!

The requested URL was not found on this server. If you entered the URL manually please check your spelling and try again.

If I take away everything up to the last % and try it again, the page loads fine. It's just some characters in the URL seem to bug everything out:

http://localhost/users/changeResetPassword/e0b4ab1d2cdc5742c7b5f72ef6c2935dadfe458dc275b7419d9f1ac66461aa20

This loads fine, so I know it's just a URL problem. Any ideas?

Answer 1

Base64 encode the hash and pass it along, then decode when received. Cake URI parsing likely breaks because it'll try to interpret those %xx as html encoded values but it does not appear that is what they are since you have stuff like %03 and from the link: "The ASCII device control characters %00-%1f were originally designed to control hardware devices. Control characters have nothing to do inside a URL"

With regards to ndm's comment indicating you may additionally need to URL encode the base64 string since base64 can contain the characters + = / I'd recommend you also look at url encoded forward slash is breaking url to see why simply encoding the problematic characters might also be problematic. If the current solution of passing unencoded base64 strings is not causing any issues with your rewrite rules I would recommend you keep it as it.