ensure gotwebd login token uniqueness

From:: Stefan Sperling <stsp@stsp.name>
Subject:: Re: ensure gotwebd login token uniqueness
To:: gameoftrees@openbsd.org
Date:: Mon, 22 Dec 2025 20:13:25 +0100

Download raw body.

Thread

2025-12-22 13:38 Stefan Sperling:
ensure gotwebd login token uniqueness
- 2025-12-22 19:13 Stefan Sperling:
  ensure gotwebd login token uniqueness
- - 2025-12-22 23:13 Tracey Emery:
    ensure gotwebd login token uniqueness
  - - 2025-12-23 09:10 Stefan Sperling:
      ensure gotwebd login token uniqueness

On Mon, Dec 22, 2025 at 02:38:43PM +0100, Stefan Sperling wrote:
> Which means users (including anonymous) can deduce the occurance of
> server-side clock ticks once per second by requesting login links
> repeatedly and watch the login token changing.

Actually, the above point is moot since the token contains timestamps.
But I suppose there is no reason why we shouldn't add randomness anyway?

2025-12-22 13:38 Stefan Sperling:
ensure gotwebd login token uniqueness
- 2025-12-22 19:13 Stefan Sperling:
  ensure gotwebd login token uniqueness
- - 2025-12-22 23:13 Tracey Emery:
    ensure gotwebd login token uniqueness
  - - 2025-12-23 09:10 Stefan Sperling:
      ensure gotwebd login token uniqueness