Is there any variable that is unique and unrepeatable (apart from the time and date) that can generate with Javascript and decrypt with PHP? [closed]

Navigation
0

In my project, if the user has forgotten their password, I force them to write their user and using Javascript and windows.location I open a new web page with a request type GET and send your user as a variable. On this page, once the security question is answered, you can change your password.

After a review, I realized that this action opens a large security breach, because anyone can require this same web page and send a valid user, and if you know the answer to the security question, change the user's password.

I thought about sending a kind of security token, that only I know, but I can not think of something that is unique and unrepeatable, apart of course from the date or time.

If I write something in the HMTL, even if it is of hidden , when reviewing the source code it can be seen, and the date or time would be very predictable, even if I modified them in some way, since it can be access the source code in JS.

It could be that he is not thinking very well about the solution and there is another way to do it. With all these details, is there any variable that is unique and unrepeatable that can generate with Javascript and decrypt with PHP?

    
asked by Kenny Barrera 15.06.2017 в 21:10
source

1 answer

1

Have you tried using UUID or GUID to do this kind of work? I pass a function to you. 

function guid() {
  function s4() {
    return Math.floor((1 + Math.random()) * 0x10000)
      .toString(16)
      .substring(1);
  }
  return s4() + s4() + '-' + s4() + '-' + s4() + '-' +
    s4() + '-' + s4() + s4() + s4();
}

Run it running: 

guid()

It will throw random values like this: 

e88be4e8a66c-e8cf85-e8da6e-e897ef-e88980e85e1ee82b90

Imaginitate to generate a UUID for each user in a table independent of your database, with Javascript you locate that variable as an identifier for that user somewhere in the DOM or where you need it, then send it and try to matchear this UUID with the that exists in the database, this will be a unique variable and very difficult to discover for anyone.

Some apps send an email where they use that type of UUIDS but as they mentioned in the comments, they can be temporary if you wish, this increases the security of your application much more than it is currently.

I hope this idea is helpful.

    
answered by 16.06.2017 / 03:26
source
How to eliminate the underline effect that happens when you pass over the mouse pointer? [closed] How do I get a specific data from the BD and not the first one I find?