Follow-up Comment #4, sr #107281 (project administration): > Wrt predicatable identifiers, what about storing 2 random numbers in the DB, one for confirmation and one for cancellation?
That would be fine. > Other code tend to use MD5 and combine user information such as username, etc., but I fail to see the increased security compared to a good old, plain 64 bits random number. Right. The security is actually completely decreased if the user knows all the inputs to the digest and can recompute it, as is the case for email change verification. A MAC with a site-configured secret key would work, but then one has to be careful about replay attacks. Random numbers are just easiest. _______________________________________________________ Reply to this item at: <http://savannah.gnu.org/support/?107281> _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/