Also, as a usability feature, it may be a good idea for the verify token api to also return the website field in the data it returns along with the account number. This would make it much harder for someone to just copy a token and present it to someone as a short URL (that doesnt contain their userid/website in the display of the link) because then the person verifying the token may just look for the TRUE in the data that is returned.
If token contained a website this would create a big problem with privacy.
[/quote]
hm sounds like we have been using them for an unintended purpose, can you explain the intention of the token?
also, please answer this question: assume we run 1 java instance of a non-hallmarked node on a PC. 1 user uses GUI to unlock and start forging. They close their browser without locking back. So they are still forging.. BUT what happens then if another user connects to that java instance and unlocks a different passphrase/account? do both accounts begin forging off the same java instance?
Then, what are the implications if the node is hallmarked with the 1st account?
