[eluser]n0xie[/eluser]
a. Use some algorithm based on info only YOU have (user_id and some secret. user_id prevents accidental collisions) plus some info that is unpredictable (some random number) plus some info that is time based to prevent same user collision hashes. Or whatever else you can come up with. In the most basicform:
Code:
private function gen_token($user_id, $secret)
{
return md5($user_id . $secret . mt_rand() . time());
}
b. Store the token in the database identifying the user. Match the URL against the token. Now you know which user it is and thus what you should display. If no matches were found you could add some time based waiting system that disallows users from that IP to try and 'guess' hashes. This works well against brute-force attacks.
c. Every token can be faked. There is no protection against people randomly trying out hashes in the URL. You could implement another security measure (user has to be logged in and user_id of logged in user must match user_id of token) but this would be tricky if people want to use a RSS reader or any other means of retrieving the RSS feed without using a browser.