Security with states?

If I was to generate a random number and save to a state on the page then send an SMS to the user (with the same random number as a code), can someone see the value stored in the state? Is there a more secure way of temporarily storing the random number so that I can verify it against the user’s entry, for example encoding it with SHA256? But then I dont know how to check the user’s input against the encoded value. I’m sure there’s a simple answer.

know I can use twilio verify but I wanted to send the random number via SMS and email so the use has the option.

Yeah, at the client-side you can see the state value ( by inspecting the page) but that does not matter in your case as you are anyway sending the code to the user.

I just feel like you don’t have to worry about using states to store temporary the code.

You could save the verification code to the database instead of to the state

1 Like

Thanks for your comments. Actually I decided to encode using a private key using this plugin and save to a state, then check the decoded against the user input so all good thanks!

This topic was automatically closed after 70 days. New replies are no longer allowed.