nonce - number user once
prevents replay attacks, semantic URL attacks
nonce = md5(actionName + itemId + userid + timestamp + salt);
<a href="/items/delete?item=7243&nonce=$nonce×tamp=$timestamp">delete item</a>
- On request recreate nonce.
- Before action check for expiration (timestamp).
- Used nonce insert into databse(nonce, timestamp). Before action check that nonce is NOT in the database.
- CLear expired nonces from the database.