Length of a security token

I'm using security tokens to create not guessable URLs like this (16 bytes, hex)

http://example.com/something/private/b5f8c21a628e12b39786fb8ef9561d31

The token is something like a shared passwords: Who knows the URL is allowed to access开发者_运维问答 the resource.

How many bytes should a secure random value have to be appropriate for secure URLs?

---

I've ended up with a 64 Bit random value which is encoded as url-safe Base64. The possibility to guess the correct token is 1 / 2^64 what is equal to 1 / 18446744073709551616. This is a pretty impressive number and it would be nearly impossible for an attacker to find the correct token with http requests.

URLs look like this now: http://example.com/private/1oWYPiqO81k/

---

Well all applications depend on a cryptographic nonce at some point. After all this is a session id or csrf token value. The importance here is that it doesn't matter how long the value is if the attacker has 100 years to break it. Now 100 years is a long time, but you should strive for your designs to last this long.

The main difference in security between a cookie and your value is that the cookie expires and changes for every use. But in all reality this value should be avoided at all costs. If this is used for authentication, then rely on the session id, that's why its there. Don't roll your own session.

---

10 unicode characters URLs for example, are pratically impossible to guess because tokens are 160 bits long and thus there are 2 ^ 160 different possible URLs. However you shouldn't rely on something like that for security, but on classical login and auth