Forum OpenACS Development: Old message about signed form/ad_page_contract variables

Signatures pass the token_id which never expires (by default.)

See previous explanation by Jeff Davis

https://openacs.org/forums/message-view?message_id=183886

So my question, I looked at the auth_token which appears to be 8 characters from one of the random tokens.

So would it make sense to

add an additional user shared secret to the users table to sign variables?

If this is done is ad_sign it should be transparent to code that uses the signature feature.

Any good reasons we should not implement this?

What about signing forms/variables using a secret token tied to a session instead of a user? ecommerce ties critical forms to a session among other things. This suggestion wouldn't work when sessions change, but I'm not sure which cases those would be..
Good idea. You can have a session without a login token but if you have a login token you should also have a session.

This makes sense since then not-logged in access does not need any special code.

Thanks for the suggestion.