jackhammer013 jackhammer013 - 1 year ago 58
PHP Question

How to securely share a link to others - Laravel 5

Hi am making a Call Recording System, basically, there's admin and user. Admin will upload a call recording file which is stored in the file system. Then the admin will assign that a user a call recording which the user can see.

So in my database I have


then my Designation table which where I store the assigned call recording to a user.


I already make the function which the user can only see and play the recording assigned to him/her. My problem now is the user could also share that recording to someone else. I already done that, what I do is loading the the assigned recording to the user, and in his/her dashboard there's a public link for the video, say

<a href="http://localhost/callrec/public/recording/{!! $value->recordID !!}">See Public Link</a>

as you can see I'm using Blade Template. As you can that

is my recording ID which is a resource, so let's say that link directed to


Then that link is public and the user can share it. But there's a risk, when he/she shared this that
from the link can be altered, let's say
and if that
is existing it can be accessed which is supposed to be not coz the user only shared the
id = 1
. How to approach problems like this? Any ideas and suggestions? thanks!

Answer Source

If you use ID in the URL, then as you noticed it's easy to guess other possible IDs, change the URL and access other recordings. So what you need to do is to share links containing a value that users won't be able to guess. One example would be a hash of the recording ID using some secret value as a hash - e.g. your APP_KEY value.

What you need to do is:

  1. Add a string hash column to your recording table
  2. When recording is created, calculate the hash and save it with the recording:

    $recording = Recording::create($attributes);
    $recording->hash = base64_encode(Hash::make
                           ($recording->recordID . Config::get('APP_KEY')));
  3. Use that hash in the URLs

    <a href="http://localhost/callrec/public/recording/{!! $value->hash!!}">
       See Public Link

This way your links will be publicly available, but guessing a hash of another recording will be more or less as hard as guessing passwords in your application as the same logic is applied. Just make sure you keep your APP_KEY safe.