The “validation token” works by how the server recalls it.
A general token is a random string; the server keeps in its database a mapping from emitted tokens to authenticated user names. Old tokens can be removed automatically in order to prevent the server’s database from growing indefinitely. Such a token is good enough for security as long as an attacker cannot create a valid token with non-negligible probability, a “valid token” being “a token which is in the database of emitted tokens”. It is sufficient that token values have length at least 16 bytes and are produced with a cryptographically strong PRNG (e.g. /dev/urandom, CryptGenRandom(), java.security.SecureRandom… depending on your platform).
It is possible to offload the storage requirement on the clients themselves. In the paragraph above, what “memory” should the server have of a token ? Namely the user name, and the date of production of the token. So, create your tokens like this:
- Server has a secret key K (a sequence of, say, 128 bits, produced by a cryptographically secure PRNG).
- A token contains the user name (U), the time of issuance (T), and a keyed integrity check computed over U and T (together), keyed with K (by default, use HMAC with SHA-256 or SHA-1).
Thanks to his knowledge of K, the server can verify that a given token, sent back by the user, is one of its owns or not; but the attacker cannot forge such tokens. I hope this is helpful for you
Thanks & Regards