What is a best practice for obfuscating unique tokens in logs?

What is a best practice for obfuscating unique tokens in logs?

Unique tokens are emailed to users and that token is what is used to trigger the workflow process. That token is stored encrypted in the database, but when the user clicks the link, the token is shown in clear text in the app logs. How can this best be handled?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Julian HansenCommented:
What are your concerns?

If you mail it to the user it is out in the open - if your token is a hash that is unguessable (or close) and a one time use - why do you need to protect it?

If an attacker get get access to your logs he/she can get access to the code that decrypts the data - and your data is exposed anyway.

Trying to understand what it is you want to achieve here?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
alexmac05Author Commented:
What hash function do you recommend for this?

So, perhaps the answer is to have a token that is a hash that is unguessable or close.

All I am trying to achieve is an understanding of best practices about this particular workflow where you have to send a token to a customer in an email that they click that brings them back to the web application for some function and how to do this in a best practice way knowing that the token will be exposed in logs, emails, and on the front-end.

Thank you for your answer and your help!
nociSoftware EngineerCommented:
Unless correctly encrypted,  any email is a public medium ... (sealed letter vs. picture postcard).
You can use such onetime links to validate email addresses.. not a lot more.
They need to be time constrained anyway.
alexmac05Author Commented:
I think this is also called a one-click login.
Julian HansenCommented:
Usual practice is to use a GUID / UUID
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.