(ichimunki) re x 2: Is this use of crypt() appropriate?

Cool module. But I still think it leaves the cookie vulnerable to sniffing, which is all that is needed. If I can replicate your cookie, encrypted or not, I can pass it to the server as if I were you and more likely than not the server will believe everything is fine. That's the reason we have to encrypt the transmission itself and not merely the contents of the cookie. That way an attacker has almost no chance to guess which parts of the transmission are the cookie and re-use them.

Comment on (ichimunki) re x 2: Is this use of crypt() appropriate?

Replies are listed 'Best First'.
Re: (ichimunki) re x 2: Is this use of crypt() appropriate? by BMaximus (Chaplain) on Nov 09, 2001 at 06:14 UTC
Good point. But I doubt that a person who is sniffing on the net would get the whole thing. It would take a person being on the same LAN to get the whole cookie with a sniffer. As I was thinking that a way to combat this would be to add the IP address of the computer the cookie is being sent to into the encrypted contents. However something like that would cause a problem with anyone who is using a proxy (like AOL). If I were doing E-Commerce I would most definatly use SSL. Any way of securing a cookie without SSL? Taking an MD5 of the cookie won't do it since the cookie is not changed. Where does being carefull cross over to being overly paranoid? BMaximus	[reply]

Replies are listed 'Best First'.

Re: (ichimunki) re x 2: Is this use of crypt() appropriate?
by BMaximus (Chaplain) on Nov 09, 2001 at 06:14 UTC

[reply]