Oh yeah, that is such standard practice for me that I forgot to mention it. checksum = secret on server + cookie value
What is a "nonce"? I'm guessing an id that is marked as used so prevent multiple submissions? Drew At 05:02 PM 4/23/02 -0500, David Turner wrote: >.... but they bad guys will just change your checksum, too. Instead, >concatenate with some secret stored on your disk, and a nonce (to >prevent reply attacks), *then* checksum. > >On Tue, 2002-04-23 at 15:11, Drew Taylor wrote: > > There's two ways to do this: the expire time on the cookie (less reliable) > > or setting an expire time as part of the cookie value (more reliable). And > > if you're using a cookie for anything other than a cryptographically > random > > session id, be sure to add a checksum (MD5 or SHA1) so you can detect > > tampering. > > > > Drew > > > > At 03:53 PM 4/23/02 -0400, John Saylor wrote: > > > > >( 02.04.23 15:16 -0400 ) Sean Quinlan: > > > > How do I either scrub the header or force Apache to resend the login > > > > request? > > > > > >If you use cookies to keep state, you can set a time stamp on them that > > >will force reauthentication once they expire. > > > > ====================================================================== > > Drew Taylor JA[P|m_p]H > > http://www.drewtaylor.com/ Just Another Perl|mod_perl Hacker > > mailto:[EMAIL PROTECTED] *** God bless America! *** > > ---------------------------------------------------------------------- > > Speakeasy.net: A DSL provider with a clue. Sign up today. > > http://www.speakeasy.net/refer/29655 > > ====================================================================== >-- >-Dave Turner Stalk Me: 617 441 0668 >"Anyone who has seen, for example, the film Final Fantasy: The >Spirits Within (H. Sakaguchi and M. Sakakibara directors, 2001) >can understand the Government's concern." -Justice Sandra Day >O'Connor, http://supct.law.cornell.edu/supct/html/00-795.ZX.html ====================================================================== Drew Taylor JA[P|m_p]H http://www.drewtaylor.com/ Just Another Perl|mod_perl Hacker mailto:[EMAIL PROTECTED] *** God bless America! *** ---------------------------------------------------------------------- Speakeasy.net: A DSL provider with a clue. Sign up today. http://www.speakeasy.net/refer/29655 ======================================================================
