From: Tracey Emery Subject: Re: ensure gotwebd login token uniqueness To: gameoftrees@openbsd.org Date: Mon, 22 Dec 2025 16:13:35 -0700 I think the addition is worthwhile. Ok. On December 22, 2025 12:13:25 PM MST, Stefan Sperling wrote: >On Mon, Dec 22, 2025 at 02:38:43PM +0100, Stefan Sperling wrote: >> Which means users (including anonymous) can deduce the occurance of >> server-side clock ticks once per second by requesting login links >> repeatedly and watch the login token changing. > >Actually, the above point is moot since the token contains timestamps. >But I suppose there is no reason why we shouldn't add randomness anyway? > -- Tracey Emery Sent from my phone.