Follow-up Comment #4, sr #107281 (project administration):
> Wrt predicatable identifiers, what about storing 2 random numbers in the
DB, one for confirmation and one for cancellation?
That would be fine.
> Other code tend to use MD5 and combine user information such as username,
etc., but I fail to see the increased security compared to a good old, plain
64 bits random number.
Right. The security is actually completely decreased if the user knows all
the inputs to the digest and can recompute it, as is the case for email change
verification. A MAC with a site-configured secret key would work, but then
one has to be careful about replay attacks. Random numbers are just easiest.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?107281>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
