

Slack. Or why you need to hash reset_token like password - homakov
http://sakurity.com/blog/2015/03/27/slack_or_reset_token_hashing.html?

======
zaroth
Even without an ID in the post, you could hash the input and search for a
matching value in the DB, right? So not having an ID along with it isn't proof
they aren't hashing tokens, but... I think hashing tokens, especially
session_id, is a good defense-in-depth practice which almost no one is
following.

~~~
homakov
> Even without an ID in the post, you could hash the input and search for a
> matching value in the DB, right

Hmmm indeed! if we hash incoming value _before_ searching then it would work.
So with blackbox it's impossible to tell, I'm sorry.

