[forwarded submission from a non-member address -- rjk]
From: David Turner <[EMAIL PROTECTED]> Date: 23 Apr 2002 17:29:51 -0500 Subject: Re: [Boston.pm] header munging in Apache with mod_perl To: Drew Taylor <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] A nonce is a non-secret, but meaningless number which is different for each message. Usually, it's a counter. Let's say you don't have one. The user looks at their cookie, and then does something on the site which would change the value of the cookie. They can at any time go back to the old value of the cookie. Since the data is the same, and your stored secret is the same, the hash is the same, so they can just re-use the message. Adding a nonce prevents this. On Tue, 2002-04-23 at 16:05, Drew Taylor wrote: > Oh yeah, that is such standard practice for me that I forgot to mention it. > checksum = secret on server + cookie value > > What is a "nonce"? I'm guessing an id that is marked as used so prevent > multiple submissions? > > Drew > > At 05:02 PM 4/23/02 -0500, David Turner wrote: > >.... but they bad guys will just change your checksum, too. Instead, > >concatenate with some secret stored on your disk, and a nonce (to > >prevent reply attacks), *then* checksum. > > > >On Tue, 2002-04-23 at 15:11, Drew Taylor wrote: > > > There's two ways to do this: the expire time on the cookie (less reliable) > > > or setting an expire time as part of the cookie value (more reliable). And > > > if you're using a cookie for anything other than a cryptographically > > random > > > session id, be sure to add a checksum (MD5 or SHA1) so you can detect > > > tampering. > > > > > > Drew > > > > > > At 03:53 PM 4/23/02 -0400, John Saylor wrote: > > > > > > >( 02.04.23 15:16 -0400 ) Sean Quinlan: > > > > > How do I either scrub the header or force Apache to resend the login > > > > > request? > > > > > > > >If you use cookies to keep state, you can set a time stamp on them that > > > >will force reauthentication once they expire. > > > > > > ====================================================================== > > > Drew Taylor JA[P|m_p]H > > > http://www.drewtaylor.com/ Just Another Perl|mod_perl Hacker > > > mailto:[EMAIL PROTECTED] *** God bless America! *** > > > ---------------------------------------------------------------------- > > > Speakeasy.net: A DSL provider with a clue. Sign up today. > > > http://www.speakeasy.net/refer/29655 > > > ====================================================================== > >-- > >-Dave Turner Stalk Me: 617 441 0668 > >"Anyone who has seen, for example, the film Final Fantasy: The > >Spirits Within (H. Sakaguchi and M. Sakakibara directors, 2001) > >can understand the Government's concern." -Justice Sandra Day > >O'Connor, http://supct.law.cornell.edu/supct/html/00-795.ZX.html > > ====================================================================== > Drew Taylor JA[P|m_p]H > http://www.drewtaylor.com/ Just Another Perl|mod_perl Hacker > mailto:[EMAIL PROTECTED] *** God bless America! *** > ---------------------------------------------------------------------- > Speakeasy.net: A DSL provider with a clue. Sign up today. > http://www.speakeasy.net/refer/29655 > ====================================================================== -- -Dave Turner Stalk Me: 617 441 0668 "Anyone who has seen, for example, the film Final Fantasy: The Spirits Within (H. Sakaguchi and M. Sakakibara directors, 2001) can understand the Government's concern." -Justice Sandra Day O'Connor, http://supct.law.cornell.edu/supct/html/00-795.ZX.html
