in reply to Re^8: encrypt/decrypt string
in thread encrypt/decrypt string

  1. ...?id=mylogin
    attacker knows other users login or guesses it and can easily impersonate as that user.
  2. ...?id=myloginecrypted
    attacker knows other users login and can deduce the encoding/encrpytion sceme (e.g. by deriving from his own login->loginencrypted; i.e. "plain text attack"). One more hurdle compared to (1), but not really that harder.
  3. ...?id=randomtokenmatchedbyservertouser
    Here there is no encryption to guess. Attacker actually has to get hold of the token for the user he wants to impersonate (Which works for (2) too, of course)
Seems you want to avoid (1) by choosing (2), which is not really an improvement IMHO. The alternative (3), proposed by others in this thread, is far "safer" with respect to your goal.

Replies are listed 'Best First'.
Re^10: encrypt/decrypt string
by artist (Parson) on Oct 27, 2006 at 14:38 UTC
    In (2): Attacker has to guess A. encryption type and B. 'salt' used. What if 'salt' required for encryption is deduced from login, by some magic formula?
    --Artist
[reply]

In Section Seekers of Perl Wisdom