Story for context: I have an ePetition type service running on my site which I email people a link where they can 'agree' to the petition. This link will only contain the 'petitionID' and 'username' of the person who sent it.
This information isn't particularly sensitive but I still require it to be tamper-proof because I want them to be able to accept without signing in or storing values in the database.
I thought of using Java's String.hashCode() function.
Maybe having the url as: username, petitionId and then a hash
www.website.com/accept.jsp?user='username'&id='petid'&token='1039678106'
The token could be made up of username + id(from the link) + datePetitionStarted(like the salt not exposed in the url) like:
String test = "mike.Who@petitionwebsite.com+1524+09/02/2016";
System.out.println(test.hashCode());
This would give me a hash of '1039678106' which means server side, I can take the ID parameter, the username of the person and use the datePetitionStarted, get the hashcode and compare them.
Do you think this is a valid way of preventing tampering?
I'm really after a token-type method of accepting petitions so if anyone has any other ideas that would be awesome.
thanks,
Mike
Here's what I did (which is practically tamper-proof). I don't use java script as users can disable it anyway. I simply create a UUID, (which is stored in a database next to user details) and then create a link sent in an email during the registration process.
http://my_domain_name/Activate?key=6faeecf5-9ab3-46f4-9785-321a5bbe2ace
When the user clicks on the link above, the server side code checks that this key actually exists in the database, in which case it activates the user account.