How to Best Handle Authentication Via the URL in PHP

Question

I need to be able to send users a link that contains an encrypted value which is used to authenticate the user when they visit the link.

The current process uses a salt and roughly 40 character unique hash which is then encrypted and base64 encoded so that it can be safely be transported via email and in theory come back safely through the URL.

However, as this is my first attempt at doing something like this, I failed to consider the effect of slashes in the encrypted value. This causes the value to be truncated when I pull it from the URL which obviously won't work when I try to decrypt it.

How is this generally accomplished? Links to tutorials, etc. are always appreciated.

Answer 1

I think your method is good overall, in fact it could probably be considered overkill already. For the issues with slashes (and potentially other problem characters) in the URL, just make sure that you use urlencode() (and then subsequently urldecode() in the verification page) on the verification token.

Answer 2

Although you should never contain sensitive data in a page requiring no authentication, there is an easy solution to fix your problem. Before sending out the hash, make it URI safe with the urlenconde function. Then pass it through urldecode before processing it.