https URL with token parameter : how secure is it?

SSL will protect the query parameters in transit; however, email itself is not secure, and the email could bounce along any number of servers before getting to its destination.

Also depending on your web server the full URL might get logged in its log files. Depending on how sensitive the data is you might not want your IT people having access to all the tokens.

Additionally the URL with the query string would be saved in your user's history, allowing other users of the same machine to access the URL.

Finally and what makes this very insecure is, the URL is sent in the Referer header of all requests for any resource, even third party resources. So if you're using Google Analytics for example, you will send Google the URL token in and all to them.

In my opinion this is a bad idea.


I'd use a cookie for that. The workflow should be like this:

  1. User comes to your site for the first time.
  2. Site sets a cookie
  3. User enters data. Data is stored in the DB using some key that is stored in the cookie.
  4. When user leaves, you send them an email with a https: link
  5. When user comes back, site discovers the cookie and can present the user with the old data.

Now, the user wants to use a different browser on a different machine. In this case, offer a "transfer" button. When the user clicks on this button, she will get a "token". She can use this token on another computer to reset the cookie. This way, the user decide how secure she wants to transfer the token.


SSL secures the contents of the data in transit, but I'm not sure about the URL.

Regardless, one way to mitigate an attacker reusing that URL token is to make sure each token can only be used once. You could even set a cookie so that the legitimate user can continue to use the link, but after the first access it will only work for someone with the cookie.

If the user's email is compromised and an attacker gets the link first, well, you're hosed. But the user also has bigger problems.