Random token like in queryStrings

a developer ask me this question.

“a question that token that is sent by url by get, is a
unique token which has expiration and is of single use, in addition to
it is used to validate that the recovery of the password is valid.
Even so, the sending of this token must be done by post? Yes it is
So, how can I get this token from the mail link of
recovery to my application?
Thank you so much”
And another comment below this main coment
“I forgot this token does not correspond to any session information or similar, it is simply a random string sent in the email link”

So I have some doubts about this inquiry. So since is not valid so send parameters acording to this rule FIN.S.0030: how to handle this situation ? I think is not a threat but it should implement https.

Thanks for you help

Please edit the initial post to:

  • split the number of problems that are inside the question,
  • then rank them in a way that one solution give you clues to solve the next ones,
  • translate it to english

In general, we should never give the customer any clues about the solution, we just need to help the customer to understand the security risk behind.

So the link doesn’t carry a session id and it expires by certain time. So the only way this can work is with https. In order to avoid the leak

Still I don’t understand a bit. Don’t just translate the text, interpret it appropriately, rewrite it if necessary, simplify, etc. Try to frame a problem as your problem, not the other’s person problem.

Ok I get it. the issue here an email is send with a link which has a random string in the url. So it expires. I know that is a risk. because the system is not implementing yet https.

Also, change the title. Make it a question pointing to a problem so other people can find this post if needed.

I have changed the title for something more simple.