Follow-up Comment #2, sr #107281 (project administration):
Additional comment (for whenever this issue is addressed): It gets worse.
The token is a function of the session cookie and the current time, so the
user can predict it without receiving either email. The confirmation and
cancellation links should use two different, /random/ tokens.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?107281>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
