Whenever I upvote a story, HN sends a request of type: `vote?id=12390292&how=up&auth=XXX`
`XXX` is different for each story in the page.<p>I checked the cookies using dev tools. There is a cookie called user whose value is <myusername>&[YYYY]<p>Here `YYYY` is a different token. Can anyone explain what is going on with all these tokens and why are they all different?<p>PS: Inspired by http://blog.watchandcode.com/2016/03/17/the-single-piece-of-javascript-on-hacker-news/
For a voting URL, you want some value that the server can calculate based on info it has, and that's sufficiently large to not be brute-forceable, and sufficiently unpredictable to not be enumerable. They are 'capability URLs' [1] like a private Google Docs link, or a 'click here to reset your password' token. So 'auth' parameter in the URL is likely the output of a deterministic function of the user and a server-side secret, and possibly a time factor; you can accomplish this with an HMAC.<p>HOTP [2] and TOTP [3] are two concrete schemes that use this method and truncate to a human-friendly size at the end to use it as part of a challenge-response, but you don't want to truncate this here because then the range of values would be brute-forceable. So it's likely just the output of a LARGE-HMAC(secret-key, MixingFunction(user, timewindow)). Or, if time isn't present, then LARGE-HMAC(secret-key, user).<p>Since the voting URLs are server-generated, the Cookie value must be unrelated. Logging in with a web browser, copying the cookie, and mimicking the same cookies with curl, I'm logged in with curl, but changing either my username or my token I'm not logged in. The opaque value in the cookie is consistent with what you'd expect from a Session ID, which is not surprising. I'm speculating, but the addition of the username may serve as a countermeasure against session guessing attacks (like, being able to quickly distinguish a tampered Session ID from a good one, like these other apps try to [4][5]), or may simply be an implementation detail.<p>[1] <a href="https://www.w3.org/TR/capability-urls/" rel="nofollow">https://www.w3.org/TR/capability-urls/</a><p>[2] <a href="https://en.wikipedia.org/wiki/HMAC-based_One-time_Password_Algorithm" rel="nofollow">https://en.wikipedia.org/wiki/HMAC-based_One-time_Password_A...</a><p>[3] <a href="https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm" rel="nofollow">https://en.wikipedia.org/wiki/Time-based_One-time_Password_A...</a><p>[4] <a href="http://stackoverflow.com/questions/18751565/detecting-rails-4-session-cookie-tampering" rel="nofollow">http://stackoverflow.com/questions/18751565/detecting-rails-...</a><p>[5] <a href="https://github.com/expressjs/session/issues/176" rel="nofollow">https://github.com/expressjs/session/issues/176</a>