[Catalyst] email confirmation widget?

Andrew Rodland arodland at comcast.net
Thu Oct 11 16:46:30 GMT 2007

On Thursday 11 October 2007 04:09:40 am Ian Docherty wrote:
> The principle is this.
> Create a text string containing the user-id and the date, e.g.
> '666-20001011' then append a 'secret' code to it only known by the
> server giving you a string like '666-20001011-ThiSW1llNev3rBQuessed'.
> You now apply your favorite one-way hash function to this string, for
> example MD5 or SHA1.
> You now include in your email the link to the site with the string
> ''666-20001011-<SHAD1orMD5string goes here>'

Not to be overly picky, but from a crypto POV, it might make more sense to use 
real HMAC-MD5/HMAC-SHA rather than the "look what I just reinvented" HMAC. It 
shouldn't be any slower or more complicated, and it provides one less chance 
for someone to forge a token if they really want (since in this situation, 
the only "proof" you offer yourself that you generated the token in the first 
place is that the MAC matches).


More information about the Catalyst mailing list