tl;dr: Is a pseudorandomly generated string unguessable enough to be used as token in a URL?
I'm making a web application, let's for the sake of argument assume it's another PasteBin. I allow users to paste text and I generate a random URL for them that they can pass to their friends but otherwise will remain unknown to the public.
How should I generate this URL? It'll be something like https://pastebin.example.com/%s
where %s
is a random string.
How secure is it to simply use a pseudo-random value, such as the result of uniqid
? How will using something as openssl_random_pseudo_bytes
improve how un-guessable the ID is?
Assume that users will not be able to submit arbitrary many pastes per minute, there is some rate-limiting system (such as a captcha and IP check). Also assume that I have taken measures to prevent search engines from indexing the page. The risk of sharing information protected just by an ungessable URL is outside the scope of this question.
For clarity: the random string is ONLY used as an identificator, it is NOT used for cryptographic operations afterwards.