I am reading this book Essential PHP Security by Chris Shiflett where I came across using tokens (Session Hijacking) in URL. The book says "A better approach is to propagate a token in the URL - something that can be considered a second form of identification.
$token = md5(uniqid(rand(),TRUE));
$url = array();
$html = array();
$url ['token'] = rawurlencode($token);
$html['token'] = htmlentities($url['token'], ENT_QUOTES, 'UTF-8');
<a href="index.php?token=<?php echo $html['token'];?>">Click Here</a>
Once I hit "Click here", the url now has a token to it
What I do not understand is how does the server knows whether this token is valid or not.
Save the token in a database table that has foreign key(s) referencing the user table and any other tables relevant to the application. When the user goes to the link with the
token parameter, the script than looks the token up in this table. If it can't be found, the token is invalid.
A common example of this is when you create an account at a web site, and it sends you an email to validate the account. The link in the email will contain a token that refers back to the account, and when you click on it the script will mark that account as validated. Password reset emails work similarly.