Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

Re: Cookies & Encryption

by stephen (Priest)
on Apr 15, 2002 at 02:06 UTC ( #159061=note: print w/ replies, xml ) Need Help??


in reply to Cookies & Encryption

MD5 is not an encryption algorithm. It's a fingerprinting system. If two pieces of data have the same MD5 fingerprint, it's very, very likely that they're the same. For example, the CPAN module uses MD5 to make sure (well, sort of sure) that the module that it just downloaded is the module that the author uploaded, and not some l33t d00d's attempt to break into your computer. MD5 is not in itself a digital signature system, though, since anyone can generate an MD5 digest of a piece of data. There is no secret key.

In the past, I've created systems where one would store, say, the username in the cookie, plus a digest of the username plus some secret phrase. Anyone could read the cookie, but it would be slightly harder to tamper with it, since the hash would no longer match up.

use strict; use Digest::MD5 qw(md5_base64); use constant SECRET_PHRASE => 'myzylplyk'; warn "This method is not secure!\n"; # Turn 'angela' into quasi-signed cookie my $cookie = generate_cookie('angela'); print "Cookie for 'angela' is: '$cookie'\n"; # Turn quasi-signed cookie back into angela print "Translating back: "; print "ok\n" if get_username($cookie) eq 'angela'; # See what happens if we turn angela into mary $cookie =~ s/angela/mary/; print "Gonna die now\n"; my $username = get_username($cookie); sub make_hash { my ($username) = @_; return md5_base64($username . SECRET_PHRASE); } sub generate_cookie { my ($username) = @_; my $enc_hash = make_hash($username); return "$username:$enc_hash"; } # Returns the username if all checks out, # dies horribly otherwise sub get_username { my ($cookie) = @_; my ($username, $digest) = split(/:/, $cookie); make_hash($username) eq $digest or die "Hack attack! Username '$use +rname' doesn't match hash\n"; return $username; }

This method is NOT secure. Someone could sniff packets, read the cookie, and take over someone else's identity. You could add a timestamp to the cookie to patch it slightly... but it would still be possible to do some serious damage by simply grabbing a cookie and using it immediately. You could add an IP address, but... the list goes on and on.

You'll probably do better using a Crypt:: module. You can use the MIME::Base64 module to translate the hi-ascii characters to something relatively web-safe. Or use HTTPS.

stephen


Comment on Re: Cookies & Encryption
Select or Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://159061]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (6)
As of 2014-07-25 11:51 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (170 votes), past polls