Posted: Wed Jun 15, 2005 4:46 pm
Well, both can be done quite randomly and uniquely. If you use Neilsene's method,
identifier+expTime+MAC(identifier+expTime),
it takes a bit of extra work to ensure the identifier is not easily guessable. To do this, you have to add a field to your user account table, that stores a unique, but random string. As he suggests...
identifier+expTime+MAC(identifier+expTime),
it takes a bit of extra work to ensure the identifier is not easily guessable. To do this, you have to add a field to your user account table, that stores a unique, but random string. As he suggests...
This method now becomes quite a bit more complex than simply encypting the user's ID, which frees you of storing any info in plaintext. I guess one drawback of encrypting a user ID, is that you can't easily change the key without everyone having to log in manually. Any other drawbacks?I tend to recommend a hashed random value for use as the identifier -- store it in the DB, not used as a key elsewhere