I need to implement a number of web pages for resetting an API access key:
- user must be logged in first
- user gets to "confirmation" page that has a "confirmation" link with a time token inserted
- user follows a "confirmation" link
- server gets the token from the followed link and decides whether it's fresh enough (say at most five minutes fresh is considered good)
- if the token is fresh enough the server resets the API access key, otherwise it refuses to do so and asks the user to go back and obtain a link with a new token
This is intended to prevent users from accidentally reusing the link and resetting API keys unintentionally.
So the problem is the time token. The easiest way it to just get server local time and insert it into the hyperlink. Time represented as number of "ticks" (similar to Unix time) is just fine. This discloses the server local time to the user because the user needs to have a hyperlink before he can follow it.
Maybe it's no good to disclose local time to the user - maybe it facilitates some clever attacks against the server.
Does disclosing server time introduce any extra security risks?