[CiPHPerCoder]

Hash it how, exactly? H(s || m)? HMAC(m, s)?

> The only time this fails is if your hash function is broken, and if that's the case you've got much bigger problems

Or if your salt is leaked.

A salt, by definition, is not a cryptographic secret. That's why they're stored (in plaintext) as part of the hash in every password hashing algorithm.

It sounds like you're advocating for an additional HMAC instead, with a secret key used to authenticate these messages instead of a salt. Which is fine.

But to call split tokens convoluted, then turn around and propose salted hashing the entire thing and still not solving the existence of the timing leak? I find this hypocritical, and oddly reminiscent of people who think it's fine to escape-and-concatenate to solve SQL injection when we've had prepared statements available for over a decade.