Re: session ID - silly thoughts

Wed, 12 Feb 2003 23:19:42 -0800

if my digest is made on a $string that's made of $known_word.$secret_word; can someone suppose that lets say the secret word has 5 characters and run through all the letter combinations and finally come to a match on the digest and figure out the secret_word?
I know that it would be mannnnyyyyy combinations, but if the secret_word (or number) is short; isn't easy to find it?

Mariusz





From: "Jenda Krynicky" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: session ID
Date: Thu, 13 Feb 2003 00:37:38 +0100

From:  "mario kulka" <[EMAIL PROTECTED]>
> Still a little bit confused;
> So what if someone just creates an HTML with a hidden field containing
> any "login:time" plus another hidden with MD5 hash made out of his own
> IP+login+time and submits it? According to your explanation I
> understood that if my script verified that the hash generated by the
> script based on values he submitted and his IP, matches his(in this
> case it would) I should let him in.

There was one tiny thing missing in the explanation.
You should generate the MD5 out of
	IP+login+time+SECRET_STRING

So if they do not know the SECRET_STRING, they can hash all they want
:-)

> Or do I in the meantime store the
> hash in his profile in the MySQL db and match that against his? The
> only reason I would think it would be hard to do is for someone to
> guess that the hash was made of his IP and not something else. In that
> case wouldn't be better to make the hash out of: $login.$password and
> then pass as hidden only login; then someone to create the right MD5
> must know the password (which I can pull of the db when trying to
> validate the original hash).

That's exactly the problem. If you include the password in the hash
you have to fetch it from the DB each time, just to check whether you
have already validated the user.

Jenda
===== [EMAIL PROTECTED] === http://Jenda.Krynicky.cz =====
When it comes to wine, women and song, wizards are allowed
to get drunk and croon as much as they like.
	-- Terry Pratchett in Sourcery


--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail


--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to