Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw

Re: Is this a secure way to prevent cookie tampering

by jayrom (Pilgrim)
on Jun 30, 2004 at 14:23 UTC ( #370768=note: print w/replies, xml ) Need Help??

in reply to Is this a secure way to prevent cookie tampering

I agree with hardburn.
What I use is taken from Lincoln Stein's Apache Modules book. I create a string which is passed to the cookie and is also saved in a database for comparison.
It might be overkill but the cookie string is updated on each page as one of the fields used to create it is a timestamp. As Lincoln points out this is extremely sensitive to the smallest change in passed parameters, therefore is very hard to spoof and (almost) insures randomness.
use MD5; my $MAC = MD5->hexhash( $secret. MD5->hexhash(join '', $secret, @fields) );
The $secret variable holds a 128 character string, which should be as random as possible.
The @fields array holds whatever data you want to use, as stated before preferably not relevant user data, which combination should of course be unique for each session.
Changing the $secret string on a regular basis will also provide peace of mind ;-)


use MD5; my $MAC = MD5->hexhash( $secret. MD5->hexhash(join ':', $secret, @fields) );
It looks like the book had a typo as this correct version of the code appears somewhere else in the book.
Sorry Lincoln, my bad!


Replies are listed 'Best First'.
Re^2: Is this a secure way to prevent cookie tampering
by Anonymous Monk on Jun 30, 2004 at 16:58 UTC
    This is almost the same as Digest::HMAC, except that it uses the same $secret for each hash computation.

    The choice of an empty string in the join is not good, though. Do you really want to produce the same authenticator for these two inputs?

    @fields1 = ( "foobar", "baz" ); @fields2 = ( "foo", "barbaz" );
      Very good point!
      Proves that you should never trust code even from the accepted gurus.
      Shame on me ;-)


Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://370768]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others scrutinizing the Monastery: (5)
As of 2020-07-08 10:48 GMT
Find Nodes?
    Voting Booth?

    No recent polls found