I’m currently building a website where you have an account and can do "dangerous" things with it. I want to password-protect these things, so the user has to type their password, if they want to continue. I couldn’t find any ressources on this, so I came up with this idea.
My method works this way:
- User navigates to dangerous action
- The server redirects the user to the password prompt website
- The user types the password
- The server checks if the typed in password matches the currently logged in user
- If check was successfull, the server redirects the user to the action with a uniquely created token associated to the user as a GET parameter
- The dangerous actions checks if the token matches to the user
- If match, the server will continue as normal
My question: Is this secure?
I think this is secure because I will probably make the token like 511 chars long and bruteforcing it would be very unlikely and I couldn’t find any other security holes in this.