From: Stefan Sperling Subject: Re: ensure gotwebd login token uniqueness To: gameoftrees@openbsd.org Date: Mon, 22 Dec 2025 20:13:25 +0100 On Mon, Dec 22, 2025 at 02:38:43PM +0100, Stefan Sperling wrote: > Which means users (including anonymous) can deduce the occurance of > server-side clock ticks once per second by requesting login links > repeatedly and watch the login token changing. Actually, the above point is moot since the token contains timestamps. But I suppose there is no reason why we shouldn't add randomness anyway?