Recovery link security problem

  • Resolved Ivijan-Stefan Stipic

    (@ivijanstefan)


    3 years, 1 month ago

    I have noticed that malicious hackers manage to shut down your plugin by simple random attempts via URL.

    This has happened to me on several portals I maintain and my suggestion is this:

    Generate a unique key that is always different (random) lengths of 24-64 characters. It is best to include uppercase and lowercase letters next to numeric numbers. The check must be case sensitive.

    This is not an unbreakable solution either, but it is much more secure than the current one because it is much harder to assume and the server will already detect an intrusion attempt. And at the same time you can check if the link is wrong 3 times and block the IP for a certain period.

    Here is one my suggestion:

    <?php function generate_token(int $length=16){
	if(function_exists('openssl_random_pseudo_bytes') || function_exists('random_bytes'))
	{
		if (version_compare(PHP_VERSION, '7.0.0', '>=')) {
			return substr(str_rot13(bin2hex(random_bytes(ceil($length * 2)))), 0, $length);
		} else {
			return substr(str_rot13(bin2hex(openssl_random_pseudo_bytes(ceil($length * 2)))), 0, $length);
		}
	}
	else
	{
		return substr(str_replace(['.',' ','_'],mt_rand(1000,9999),uniqid('t'.microtime())), 0, $length);
	}
}

echo generate_token( mt_rand(24, 64) ); ?>

    Best regards!

Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Recovery link security problem’ is closed to new replies.