[Catalyst] email confirmation widget?
Andrew Rodland
arodland at comcast.net
Thu Oct 11 16:46:30 GMT 2007
On Thursday 11 October 2007 04:09:40 am Ian Docherty wrote:
> The principle is this.
>
> Create a text string containing the user-id and the date, e.g.
> '666-20001011' then append a 'secret' code to it only known by the
> server giving you a string like '666-20001011-ThiSW1llNev3rBQuessed'.
>
> You now apply your favorite one-way hash function to this string, for
> example MD5 or SHA1.
>
> You now include in your email the link to the site with the string
> ''666-20001011-<SHAD1orMD5string goes here>'
>
Not to be overly picky, but from a crypto POV, it might make more sense to use
real HMAC-MD5/HMAC-SHA rather than the "look what I just reinvented" HMAC. It
shouldn't be any slower or more complicated, and it provides one less chance
for someone to forge a token if they really want (since in this situation,
the only "proof" you offer yourself that you generated the token in the first
place is that the MAC matches).
Andrew
More information about the Catalyst
mailing list