0

For the sake of simplicity, instead of full-fledged authentication with login and password, I want to create "Google Docs long url" authentication scheme for my internet shop for the users. To let them view, track, and possibly modify their own orders:

 my_shop.com/orders/very_long_and_random_string_here/{view|edit|etc}

The very_long_and_random_string_here will have around 50 characters. It'll be unique for each order.

The page will contain user's email and dates. The very sensitive information won't be in the plain text, it'll be partially shown, partially hidden.

Will this url authentication scheme be secure enough?

Are there caveats? Are there serious no-no?

Note that my question is different from How unlikely is it that a Google Doc link is guessed?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Kaj
  • 1
  • 1
    "Secure enough" needs to be defined. Secure enough for what? What would happen if unauthorised people had access to that URL? That's the point that matters here. – schroeder Feb 19 '19 at 16:20
  • If you are trying to hide sensitive information from unauthorised people, then yes, this question is a duplicate of the one you linked. – schroeder Feb 19 '19 at 16:21
  • @schroeder I'll rephrase: how likely is it for unauthorised people to have access to that URL? – Kaj Feb 19 '19 at 16:21
  • then this is *directly* a duplicate of the other – schroeder Feb 19 '19 at 16:21
  • @schroeder no.. – Kaj Feb 19 '19 at 16:21
  • 1
    and why not? can you explain how it's different? – schroeder Feb 19 '19 at 16:22
  • @schroeder I see it as a different one. Read my questions – Kaj Feb 19 '19 at 16:22
  • That's nice. And can you explain the differences you see? – schroeder Feb 19 '19 at 16:23
  • You have not defined what "Secure enough" means, the caveats are laid out plainly in the duplicate. So, I need to understand what you understand to be the differences. – schroeder Feb 19 '19 at 16:24
  • Also, please understand that this is not an authentication scheme but a "don't let anyone else get access to this open, public URL" scheme. Nothing is getting authenticated. You are merely trying to limit access to something. – schroeder Feb 19 '19 at 16:32
  • @Kaj you should to explain the specific ways your question is different from the linked duplicate, instead of just saying 'its different' - it looks the same to me so if it's different I don't know what exactly you're asking. If you're asking about the overall security of the scheme as opposed to just the guessability it's a dupe of https://security.stackexchange.com/questions/118975/a-secret-in-a-url. – Buffalo5ix Feb 19 '19 at 17:16
  • it seems like a session managment scheme than authentication but yeah the answer linked seems fine. – Bokis Feb 19 '19 at 17:18
  • the only thing keeping someone from making a key to your front door are 5 secret digits... – dandavis Feb 19 '19 at 17:37
  • The underlying concerns (unauthenticated access, lack of confidentiality) are the same. The math in the top comment will work out the same if you generate URLs using the scheme as Google. It is functionally the same question, and you can interpret those answers as being applicable to you. One serious risk is not addressed in those comments: if those URLs are discoverable by any kind of search robot, it's game over from a security perspective... so make sure that isn't possible when configuring the web server. – DoubleD Feb 19 '19 at 22:45

0 Answers0