Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#728 Encrypt user_id on account verification #774

Open
wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

#728 Encrypt user_id on account verification #774

wants to merge 4 commits into from

Conversation

OmarElgabry
Copy link
Contributor

Instead of passing user_id in the URL as action method argument, passing the encrypted version of user_id in query parameter will work just fine. The link looks long and ugly 馃槃 but in case you want a solution for #728

@panique
Copy link
Owner

panique commented Jan 5, 2016

Thanks, looks very good!
Would be cool if everybody who reads this could test it a little bit to make sure this is bulletproof in most possible browser/mailprovider/server/os-setup (there are sometimes problems when using complex strings with special characters in URLs).

slaveek
slaveek reviewed Jan 10, 2016
View reviewed changes
application/controller/RegisterController.php
{
$user_id = Encryption::decrypt(Request::get("user_id"));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Request::get("user_id") should be check for empty value otherwise exception is thrown

@slaveek slaveek mentioned this pull request Jan 10, 2016
Open
@OmarElgabry
Check if user_id is empty
b43c13e 
Check if user_id is empty before decryption, otherwise an exception will be thrown.
@OmarElgabry
Copy link
Contributor Author

@slaveek It's fixed now, Thanks.

@borgogelli
Copy link

borgogelli commented Apr 26, 2016
edited

You have changed the sendVerificationEmail() but what about sendPasswordResetMail() ? Do I need to change it too ?

@OmarElgabry
Copy link
Contributor Author

OmarElgabry commented Apr 28, 2016
edited

The password reset uses the user name instead of user id, that's why I changed sendVerificationEmail(). You can use the user id instead in sendPasswordResetMail(), encrypt it, and don't forget to pass it as a query argument.

@ghost
Copy link

ghost commented May 10, 2016

Hi @panique Will you be adding this to huge?

@panique
Copy link
Owner

panique commented May 10, 2016

Hi @di48l069, yes it's the plan but i had no time for review and merging yet :/ ... you know, working full time + summer is always tricky :)

@ghost
Copy link

ghost commented May 10, 2016

Hi @panique thank you for response haha I understand working full time is hectic no problem man i will just keep eye on pull request :P

Thanks for this amazing secure framework it has helped my projects alot

@Kayumba
Copy link

Kayumba commented Nov 13, 2017

v

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@OmarElgabry @panique @borgogelli @Kayumba @slaveek