On Thursday 11 October 2007 04:09:40 am Ian Docherty wrote: > The principle is this. > > Create a text string containing the user-id and the date, e.g. > '666-20001011' then append a 'secret' code to it only known by the > server giving you a string like '666-20001011-ThiSW1llNev3rBQuessed'. > > You now apply your favorite one-way hash function to this string, for > example MD5 or SHA1. > > You now include in your email the link to the site with the string > ''666-20001011-<SHAD1orMD5string goes here>' >
Not to be overly picky, but from a crypto POV, it might make more sense to use real HMAC-MD5/HMAC-SHA rather than the "look what I just reinvented" HMAC. It shouldn't be any slower or more complicated, and it provides one less chance for someone to forge a token if they really want (since in this situation, the only "proof" you offer yourself that you generated the token in the first place is that the MAC matches). Andrew _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[EMAIL PROTECTED]/ Dev site: http://dev.catalyst.perl.org/
