Re: [Rails] Re: How to construct unsubscribe link?

Sure! Glad to have helped somewhat. It's a perception thing (at least it is for me). I mean a string of 10 symbols of hexadecimal characters (0-through-f) could have 16^10 outcomes (= over 1 trillion = 100 billions). So just a single random guess (like buying lottery ticket) would give you a 1 in / 1110 000 000 chance to hit it.

Most random ID generators (or however they are called) uses 20 or 22 symbols. So the chance to "guess it" goes to "insanely unlikely".

2012/7/22 Tsvetelina Borisova <ts.borisova3@gmail.com>

Thanks I was looking exactly for answer like yours - Andrei's answer is cool and I only needed more theory on these unsubscribe links. Thanks Dihital :)

22 юли 2012, неделя, 17:41:54 UTC+3, Dihital написа:

Andrei's solution works because with Device gem the User#auth_token is randomly generated and unique per your app. It would be extremely hard to brute-force it, that's why it's safe; though it would be a good idea to make sure you deny 4th or whichever unsuccessful try to use the same action in the same context (i.e. relating to the same user; similarly to that when you get your account locked if you enter PIN 3 times unsuccessfully) if you are expecting to be brute-forced or simply have higher security level required by the client or yourself.

The basic principle could be seen put into practice all over the security-related fields: make it harder to brute force it than the data that the "offender" tries to get hold of is worth.

2012/7/22 Tsvetelina Borisova <ts.borisova3@gmail.com>

Thanks for the quick response :)

22 юли 2012, неделя, 15:14:13 UTC+3, Андрей Большов написа:

You should look at Devise gem Token Authenticatable solution as example.

You just add "?auth_token=#{@user.auth_token}" to your unsubsribe url.

воскресенье, 22 июля 2012 г., 15:06:58 UTC+4 пользователь Tsvetelina Borisova написал:

Hello. In my app I send emails to tell that the user has certificate and I want to put a link - Unsubscribe. I don't know how to construct this link so that there won't be users that unsubscribe other users. I mean I want to make that is safe. I look in the web for how these unsubscribe links are made but I couldn't find anything. Can someone help me? Thanks in advance

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/L46k5wCBkEsJ.

For more options, visit https://groups.google.com/groups/opt_out.
 
 

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/CMBCK2M2zw8J.

For more options, visit https://groups.google.com/groups/opt_out.
 

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.