Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Re^4: Is this a secure way to prevent cookie tampering

by EvdB (Deacon)
on Jun 29, 2004 at 16:01 UTC ( #370524=note: print w/ replies, xml ) Need Help??


in reply to Re^3: Is this a secure way to prevent cookie tampering
in thread Is this a secure way to prevent cookie tampering

You are of course correct that a truely random number would be secure. In fact my approach of ID + secret just moves the randomness to a different part.

I prefer the id + secret route because it is easier to deal with in the database. The id can be a integer which the indexes like and the secret is just a char(30) or whatever. Having the id as an integer allows for easy referencing from other tables. There is also the cosmetic appeal of seeing how many sessions you have gone through...

--tidiness is the memory loss of environmental mnemonics


Comment on Re^4: Is this a secure way to prevent cookie tampering
Download Code
•Re^5: Is this a secure way to prevent cookie tampering
by merlyn (Sage) on Jun 29, 2004 at 16:35 UTC
    Having the id as an integer allows for easy referencing from other tables. There is also the cosmetic appeal of seeing how many sessions you have gone through...
    Then just send your strong secret over the wire, and use a database table to map your strong secret to a simple session ID. That'll help you reject bad secrets faster too, or even make it possible to change the secret every minute without messing up the sessions.

    -- Randal L. Schwartz, Perl hacker
    Be sure to read my standard disclaimer if this is a reply.

Re^5: Is this a secure way to prevent cookie tampering
by iburrell (Chaplain) on Jun 29, 2004 at 16:37 UTC
    You don't need to put the id in the cookie. It is acceptable to use the sequential integer id as the primary key in the database. Having a longer key is a good idea since it makes it harder to guess. You can send just the key in the cookie, and look that up to find the session.
      I hope you mean sequential as in a sequence with hard to predict next values. It's better off to take noise from /dev/urandom or something like taht. Pregenerate the primary keys or something. But don't use a predictible sequence. Otherwise, guessing what someone else's session key is easy. Even if you are encrypting, if the encryption is broken, a random next number is harder to guess.

      Bart: God, Schmod. I want my monkey-man.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://370524]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others scrutinizing the Monastery: (12)
As of 2014-12-18 09:46 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (48 votes), past polls