Sure! Glad to have helped somewhat. It's a perception thing (at least it is for me). I mean a string of 10 symbols of hexadecimal characters (0-through-f) could have 16^10 outcomes (= over 1 trillion = 100 billions). So just a single random guess (like buying lottery ticket) would give you a 1 in / 1110 000 000 chance to hit it.
Most random ID generators (or however they are called) uses 20 or 22 symbols. So the chance to "guess it" goes to "insanely unlikely". 2012/7/22 Tsvetelina Borisova <[email protected]> > Thanks I was looking exactly for answer like yours - Andrei's answer is > cool and I only needed more theory on these unsubscribe links. Thanks > Dihital :) > > 22 юли 2012, неделя, 17:41:54 UTC+3, Dihital написа: > >> Andrei's solution works because with Device gem the User#auth_token is >> randomly generated and unique per your app. It would be extremely hard to >> brute-force it, that's why it's safe; though it would be a good idea to >> make sure you deny 4th or whichever unsuccessful try to use the same action >> in the same context (i.e. relating to the same user; similarly to that when >> you get your account locked if you enter PIN 3 times unsuccessfully) if you >> are expecting to be brute-forced or simply have higher security level >> required by the client or yourself. >> >> The basic principle could be seen put into practice all over the >> security-related fields: make it harder to brute force it than the data >> that the "offender" tries to get hold of is worth. >> >> 2012/7/22 Tsvetelina Borisova <[email protected]> >> >>> Thanks for the quick response :) >>> >>> 22 юли 2012, неделя, 15:14:13 UTC+3, Андрей Большов написа: >>> >>>> You should look at Devise gem Token Authenticatable solution as example. >>>> You just add "?auth_token=#{@user.auth_**toke**n}" to your unsubsribe >>>> url. >>>> >>>> воскресенье, 22 июля 2012 г., 15:06:58 UTC+4 пользователь Tsvetelina >>>> Borisova написал: >>>>> >>>>> Hello. In my app I send emails to tell that the user has certificate >>>>> and I want to put a link - Unsubscribe. I don't know how to construct this >>>>> link so that there won't be users that unsubscribe other users. I mean I >>>>> want to make that is safe. I look in the web for how these unsubscribe >>>>> links are made but I couldn't find anything. Can someone help me? Thanks >>>>> in >>>>> advance >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ruby on Rails: Talk" group. >>> To post to this group, send email to >>> rubyonrails-talk@googlegroups.**com<[email protected]> >>> . >>> To unsubscribe from this group, send email to >>> rubyonrails-talk+unsubscribe@**googlegroups.com<rubyonrails-talk%[email protected]> >>> . >>> To view this discussion on the web visit https://groups.google.com/d/** >>> msg/rubyonrails-talk/-/**L46k5wCBkEsJ<https://groups.google.com/d/msg/rubyonrails-talk/-/L46k5wCBkEsJ> >>> . >>> >>> For more options, visit >>> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >>> . >>> >>> >>> >> -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msg/rubyonrails-talk/-/CMBCK2M2zw8J. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
