I am not very strong in cryptography, so there is my question.
Our forum application sends notifications of new messages to our users if they select it. The email should contain a link to unsubscribe from these messages. Now I want this link to work even if the user is not currently authenticated with our service (no cookie).
To do this, I decided to simply sign the request with SHA1, for example:
http://example.com/unsubscribe?u=234&s=52342&h=0b071440146545eaf3f00ef9cdeb1d47d006dfff
Here uis the identifier of the user who wants to unsubscribe, sis some random salt, his a safe hash calculated by combining the name of the action (unsubscribe), parameters and their values (u = 234s = 52342) and some secret line specified in configuration of our service and calculating the SHA1 hash of the resulting string:
sha1('unsubscribeu=234s=52342supersecret')
My question is about this parameter s, which is randomly generated every time. Does it add security here or not? Is it really necessary?
If I use encryption, does it make sense to add this kind of salt to the encrypted data?
This is more of a theoretical question, since it is unlikely that someone will want to guess that the "supersecret" on our service is just joking - they will unsubscribe a bunch of users, but still interesting.