ensure gotwebd login token uniqueness

From:: Tracey Emery <tracey@traceyemery.net>
Subject:: Re: ensure gotwebd login token uniqueness
To:: gameoftrees@openbsd.org
Date:: Mon, 22 Dec 2025 16:13:35 -0700

Download raw body.

Thread

2025-12-22 13:38 Stefan Sperling:
ensure gotwebd login token uniqueness
- 2025-12-22 19:13 Stefan Sperling:
  ensure gotwebd login token uniqueness
- - 2025-12-22 23:13 Tracey Emery:
    ensure gotwebd login token uniqueness
  - - 2025-12-23 09:10 Stefan Sperling:
      ensure gotwebd login token uniqueness

I think the addition is worthwhile. Ok.

On December 22, 2025 12:13:25 PM MST, Stefan Sperling <stsp@stsp.name> wrote:
>On Mon, Dec 22, 2025 at 02:38:43PM +0100, Stefan Sperling wrote:
>> Which means users (including anonymous) can deduce the occurance of
>> server-side clock ticks once per second by requesting login links
>> repeatedly and watch the login token changing.
>
>Actually, the above point is moot since the token contains timestamps.
>But I suppose there is no reason why we shouldn't add randomness anyway?
>

-- 
Tracey Emery
Sent from my phone.

2025-12-22 13:38 Stefan Sperling:
ensure gotwebd login token uniqueness
- 2025-12-22 19:13 Stefan Sperling:
  ensure gotwebd login token uniqueness
- - 2025-12-22 23:13 Tracey Emery:
    ensure gotwebd login token uniqueness
  - - 2025-12-23 09:10 Stefan Sperling:
      ensure gotwebd login token uniqueness