safest way to cypher an user id on php

Question

I need to append an user id to a public url, I'm not a security expert and I need to know the best way to secure it. I thougt that cypher the id and the append it to the url, and decypher it on the function called by the url, but I need to be the only one thant can decypher it. Any suggestions?

Answer 1

If you want a one-time-only or limited-time-only unique ID to give to the user (I'm guessing this is maybe in some kind of email link or something?) then you could potentially create a GUID or UUID and associate that with the user (via a database table perhaps), and have a field to mark when it's been used or expired.

A GUID/UUID is near-enough guaranteed to be unique and isn't easy to randomly guess.

Answer 2

The best way to do that is by implementing a SSO mecanism (Single Sign On). The user will enter his password on the first app and use a secure link to access the second app.

The first app generates a public key encrypted with a private key known by the two apps. The second app generates the public key to and if it matches the key appended to the URL then its safe to log the user.

Here an example :

The first app will create a public key :

$privateKey = `123azerty456`;
$publicKey = hash('sha512', 'user_id' . $privateKey);
$url = 'second_app.com/example.php?user_id=foo&key='.$publicKey;

The script on the second app will compute the key on its own based on the user_id passed as an argument and using the same private key :

$privateKey = `123azerty456`;
$checkPublicKey = hash('sha512', $_GET['user_id'] . $privateKey);

if($checkPublicKey == $_GET['key']) {
    echo 'OK';
} else {
    echo 'UNAUTHORIZED';
}