Re: Re: Check the cookie for changes


The stupid question is the question not asked
	PerlMonks

Re: Re: Check the cookie for changes

by drewbie (Chaplain)

on Mar 26, 2002 at 17:53 UTC ( [id://154452]=note: print w/replies, xml )

Need Help??

in reply to Re: Check the cookie for changes
in thread Web based password management (or how *not* to blame tye)

Anyone who modifies the cookie can also recompute the hash value so that it matches. To prevent that, you need to include secret information in the hash itself -- see Digest::HMAC. If you go that route, you can eliminate the need to store session information on the web server at all.

I'm not sure if we're talking about the same thing here or not. The hash I mentioned is a MAC of the cookie value you are sending along w/ a secret string stored on the server. This MAC does prevent the attacker from regenerating the cookie. A good example of this in Apache::TicketTool::make_ticket discussed in the mod_perl book (Writing Apache Modules in Perl and C by Stein & MacEachern) page 317.

So I think we're talking about the same thing. I haven't had time to finish reading RFC 2104 (which Digest::HMAC implements), so I can't be sure. But I know the method I mentioned has been widely discussed as reasonably secure.

Comment on Re: Re: Check the cookie for changes

In Section Meditations

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://154452]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others having a coffee break in the Monastery: (3)

As of 2024-04-26 00:07 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found