0

I have a website like SO. Also there is a link in the Login page named forgot password which sends an email to reset the password. As you know that email contains a link like this:

http://www.example.com/resetpassword?token={what thing can be here?}

As you see, my question is about the value of that token.

Here is my table structure:

// users
+----+--------+---------------+---------------+------------------------------+
| id |  name  |   password    |    cookie     | /* and some other columns */ |
+----+--------+---------------+---------------+------------------------------+
| 1  | jack   | d404559f60... | 0c2c62b9dc... | /* anything */               |
+----+--------+---------------+---------------+------------------------------+

password column:

$password = $_POST['password'];   // ex: 1234
$password = hash('sha512',$pass); // d404559f602eab6fd602ac7680dacbfaadd13630335e951f097af3900e9de176b6db28512f2e000b9d04fba5133e8b1c6e8df59db3a8ab9d60be4b97cc9e81db

cookie column:

$email = 'jack.1998@gmail.com';
$cookie = hash('sha512', $email.$password); // 0c2c62b9dc9bdf72ce4c845cc400dcc96ebf9898e1b3e821c7d99cae3dbe486e3b0534ccd73903dfc03cb4b424b39fdd67b68724708ddfd56424bf14ee4507bf

As I read in this and this answers: That token should be a random string. And I have to store it into database (for validating).

What's my question? Can I use the value of $cookie as that token?

Note1: I've used $password variable to generate $cookie value, because I want to log-out an user from all devices when he changes his password.

Note2: I don't want any expire time for that reset-password-link (that I've sent into email).

Community
  • 1
  • 1
stack
  • 10,280
  • 19
  • 65
  • 117
  • Yes, you can use the value of the cookie as the token. – Jay Blanchard Jun 24 '16 at 13:57
  • @JayBlanchard Thank you .. I needed to hear that. – stack Jun 24 '16 at 13:58
  • 4
    So if someone would get their hands on my cookie, they could also reset my password … terrible idea. Create a new, _random_ value for the token. – CBroe Jun 24 '16 at 14:01
  • @CBroe Ok, what about using the value of `password` column as the *token*? – stack Jun 24 '16 at 14:06
  • 1
    Check this link plz http://stackoverflow.com/questions/18910814/best-practice-to-generate-random-token-for-forgot-password – Amit Ray Jun 24 '16 at 14:08
  • 1
    _“Ok, what about using the value of password column as the token?”_ – _why …?_ That makes no sense either – trying to protect certain functionality with data that might already be compromised by an attacker. Just generate a random value and be done with it … – CBroe Jun 24 '16 at 14:12
  • Rule of thumb: if you establish any link between your values which are supposed to provide security (i.e. token is based on cookie is based on email), you're introducing possible faults into your system. If somebody can derive a value they shouldn't know from a value they might get their hands on, you've made it unnecessarily easy for them. **Just use purely random values which are impossible to guess or derive, period.** – deceze Jun 24 '16 at 14:12
  • *"I don't want any expire time for that reset-password-link"* – bad. The link *should* expire eventually, at least after a few weeks, better a few hours. What's the attack scenario? Attacker does tons of bogus password reset requests, which fills your database with tons of tokens, then attacker randomly tests tokens until they find one that exists. The fewer valid tokens in your database, the less chance the attack is successful. And you can only reduce the number of valid tokens by expiring them again. – deceze Jun 24 '16 at 14:16
  • @deceze Ah .. good point .. thank you. – stack Jun 24 '16 at 14:19
  • @deceze Just one thing, that token should be unique in the database, right? – stack Jun 24 '16 at 14:24
  • Uhm, yeah, since it's used as unique identifier in the reset URL. If you're using a proper random number generator and are generating a sufficiently long string, the statistical likelihood of generating duplicates is practically nonexistent. – deceze Jun 24 '16 at 14:34
  • @deceze I think I have to check database for the token *(to make sure thre isn't any duplicate token)* before creating that link. – stack Jun 24 '16 at 15:06
  • 1
    The practical way to do that is to declare the column to be `UNIQUE` and catch errors which result when you try to `INSERT` a duplicate value, then generate a new value and try again. As I said, this case will practically never happen when using a decent random number generator. – deceze Jun 24 '16 at 15:09

0 Answers0