[EMAIL PROTECTED] wrote: > I've been following this conversation and I'd like to clarify whether my > idea (since I and others want to do this as well) would be use an > incrementing counter for uniqueness. Then also store a bit of secret > randomness, concatenate both values together and create a digest hash. > That hash would be sent along with the sequence as well. This would allow > uniqueness and prevent guessing since the digest would have to match as > well. Depending on my paranoia I could either get fresh random bits each > time (and have a good hardware source for this then) or keep it around for > a bit and throw it away after a period. > > Does that sound right?
Yes, except for the random part. There is no randomness involved here. You should use a secret key stored on your server. There's an example of this technique here: http://www.oreilly.com/catalog/cgi2/chapter/ch08.html - Perrin