Home > OS >  Laravel: it is security issue to show expiration in signed url?
Laravel: it is security issue to show expiration in signed url?

Time:06-04

How laravel works with expiration in signed URLs? Is the expiration protected in any way against manual overwriting?

I generate confirmation emails in my laravel application that have a limited usage time. Is it possible, when rewriting the expiration parameter in url, to convince laravel that the url has not yet expired? My generated url is here:

http://localhost/register/confirm/19?expires=1654334707&signature=2e44bb1c17bab475bbffb442316ad932723ba50376db6d75cb0c2fe2675d5535

CodePudding user response:

To answer you : No, you can't rewrite a signature since everything is in the Hash.

You can find the answer in the documentation : https://laravel.com/docs/9.x/urls#signed-urls

Just don't forget to use the middleware "signed" on your route or add a logic check in your controller or service

  • Related