Home/ Questions/Q 3227646
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-17T16:35:57+00:00

I’m working on a small webapp that generates exercise program printouts. A user (ie

  • 0

I’m working on a small webapp that generates exercise program printouts. A user (ie personal trainer) can create an exercise program, then enter the email address of one of their clients. A link to the exercise program then gets sent to the client, like so…

http://www.myurl.com/generate.php?hash=abiglonghash...

The hash is a sha512 string.

I don’t want people to be able to easily discover other people’s exercise programs. At the same time I would really prefer to avoid prompting people for additonal password info, etc, when they click on that link. I would like a client to click on the link in their email, and immediately get their program, no fuss.

I’m wondering what thoughts are as to the security of the above, without additional authentication? I know it’s not Fort Knox, but it seems about as safe to me as a typical “Forgot your password” system. Any thoughts, suggestions as to how this could be improved, without getting into full-blown user authentication?

Thanks in advance,

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    A “forgot password” system typically does a few things:

    • Requires you to “know” something once you get to the page (like your mother’s maiden name, your high school, etc)
    • Sends you your new password in an email. Even if you get to the ‘forgot password’ URL of another user, the new password is sent to that user’s email address on file. This means you would need access to their inbox, as well as their “secret question”

    For your purposes, a SHA512 string should be secure enough. Using a SHA512 is similar to using a UUID, in theory. It is long enough to be statistically improbable that someone could guess someone else’s hash. The odds of it happening are astronomically high.

    Of course, there are always easier ways than guessing to get access to someone else’s hash. Things like the user’s browser history, intercepting their net traffic, looking over their shoulder, etc. Only SSL combined with a protective login system would protect against those things.

    • 0