|
|
|
|
|
|
by stringlytyped
3557 days ago
|
|
|
I been doing some reading about this in an attempt to answer my own question. It turns out, there is potential for a timing attack during the verification stage. Provided you store the plain text token in the database, an attacker can deduce a valid token by submitting various guesses to the server. Hashing the token protects against this. For more detail: http://blog.ircmaxell.com/2014/11/its-all-about-time.html |
|
|