|
|
|
|
|
|
by Brian_K_White
1144 days ago
|
|
|
If they can track the token that way, that blows the whole point, the token becomes a persistent unique id. The idea was to prove that a token exists without disclosing the token itself, nor any sort of 1:1 substitution. That sort of thing is definitely possible, that's not the conundrum. What they said is one of the conundrums I have to admit. If the server doesn't know who the user is, then the server doesn't know it's a valid user vs a bot. But I only agree it's a problem. I don't agree it's a problem without a solution. |
|
|